Detect LLMNR/NBT-NS Poisoning and SMB Relay in Microsoft Sentinel
Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
- Canonical reference
- https://attack.mitre.org/techniques/T1557/001/
KQL Detection Query
let PoisoningTools = dynamic(["responder.exe", "inveigh.exe", "ntlmrelayx.exe", "smbrelayx.exe", "multirelay.exe", "nbnspoof.exe", "conveigh.exe"]);
let PoisoningKeywords = dynamic(["Responder", "Inveigh", "Invoke-Inveigh", "ntlmrelayx", "smbrelayx", "MultiRelay", "NBNSpoof", "llmnr_response", "-rPv", "Inveigh-Unprivileged"]);
let PythonInterpreters = dynamic(["python.exe", "python3.exe", "python3"]);
// Branch 1: Process-based detection — known poisoning tool names or command line keywords
let ProcessAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PoisoningTools)
or ProcessCommandLine has_any (PoisoningKeywords)
or (FileName in~ (PythonInterpreters) and ProcessCommandLine has_any (PoisoningKeywords))
| extend HasResponder = (FileName =~ "responder.exe" or ProcessCommandLine has "Responder")
| extend HasInveigh = ProcessCommandLine has_any ("Inveigh", "Invoke-Inveigh", "Inveigh-Unprivileged")
| extend HasRelay = ProcessCommandLine has_any ("ntlmrelayx", "smbrelayx", "MultiRelay")
| extend IsPythonBased = FileName in~ (PythonInterpreters)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
HasResponder, HasInveigh, HasRelay, IsPythonBased;
// Branch 2: Network-based detection — unexpected processes communicating on LLMNR/NBT-NS ports
let NetworkAlerts = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (5355, 137) or LocalPort in (5355, 137)
| where not (InitiatingProcessFileName in~ ("svchost.exe", "lsass.exe", "dns.exe", "mDNSResponder.exe", "System"))
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName = "",
InitiatingProcessCommandLine = "",
FolderPath = InitiatingProcessFolderPath,
HasResponder = false, HasInveigh = false, HasRelay = false, IsPythonBased = false;
ProcessAlerts
| union NetworkAlerts
| sort by Timestamp descDetects LLMNR/NBT-NS poisoning and SMB relay activity using Microsoft Defender for Endpoint DeviceProcessEvents and DeviceNetworkEvents tables. Branch 1 identifies execution of known poisoning tools by process name or command line keyword including Responder, Inveigh, Invoke-Inveigh, ntlmrelayx, and smbrelayx — covering both native executables and Python-based invocations. Branch 2 flags unexpected processes communicating on LLMNR port UDP 5355 or NBT-NS port UDP 137. Results are unioned and sorted by recency.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing or red team exercises where Responder or Inveigh is explicitly sanctioned via change ticket
- Network diagnostic tools or Wireshark-based capture scripts that bind to UDP 5355/137 during authorized network analysis
- Internal network assessment platforms that bundle Inveigh for authorized discovery scans
- Python development or training environments running LLMNR/NBT-NS scripts in isolated lab networks
- Security awareness training platforms that simulate poisoning attacks in controlled lab environments
Other platforms for T1557.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.
- Test 2Responder Python Execution in Analyze Mode
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.
- Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.
- Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.
References (12)
- https://attack.mitre.org/techniques/T1557/001/
- https://github.com/SpiderLabs/Responder
- https://github.com/Kevin-Robertson/Inveigh
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
- https://github.com/SecureAuthCorp/impacket
- https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
- https://github.com/nomex/nbnspoof
- https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netbios/netbios
Unlock Pro Content
Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.