Which SIEM platforms have a T1557.001 detection rule?

df00tech provides T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)?

Detecting LLMNR/NBT-NS Poisoning and SMB Relay requires the following data sources: Process: Process Creation, Network Traffic: Network Traffic Flow, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1557.001 detection?

The T1557.001 detection is rated high severity with high confidence.

What are common false positives for T1557.001?

Common false positives for T1557.001 include: Authorized penetration testing or red team exercises where Responder or Inveigh is explicitly sanctioned via change ticket; Network diagnostic tools or Wireshark-based capture scripts that bind to UDP 5355/137 during authorized network analysis; Internal network assessment platforms that bundle Inveigh for authorized discovery scans.

T1557.001 Splunk · SPL

Detect LLMNR/NBT-NS Poisoning and SMB Relay in Splunk

Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.

MITRE ATT&CK

Tactic: Credential Access Collection
Technique: T1557 Adversary-in-the-Middle
Sub-technique: T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Canonical reference: https://attack.mitre.org/techniques/T1557/001/

SPL Detection Query

Splunk (SPL)

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval LowerImage=lower(Image), LowerCmdLine=lower(CommandLine)
| eval IsKnownTool=if(
    match(LowerImage, "(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)"),
    1, 0)
| eval IsPythonPoisoner=if(
    match(LowerImage, "python[23]?\.exe") AND
    match(LowerCmdLine, "(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)"),
    1, 0)
| eval HasInveighKeyword=if(
    match(LowerCmdLine, "(invoke-inveigh|inveigh-unprivileged|\\binveigh\\b)"),
    1, 0)
| eval HasRelayKeyword=if(
    match(LowerCmdLine, "(ntlmrelayx|smbrelayx|multirelay|-rpv)"),
    1, 0)
| eval HasLLMNRKeyword=if(
    match(LowerCmdLine, "(llmnr|nbt-ns|nbns|llmnrspoof|nbrespond)"),
    1, 0)
| eval SuspicionScore=IsKnownTool + IsPythonPoisoner + HasInveighKeyword + HasRelayKeyword + HasLLMNRKeyword
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsKnownTool, IsPythonPoisoner, HasInveighKeyword, HasRelayKeyword, HasLLMNRKeyword, SuspicionScore
| sort - SuspicionScore - _time

high severity high confidence

Detects LLMNR/NBT-NS poisoning tool execution using Sysmon Event ID 1 (Process Creation). Evaluates process image names and command lines against known poisoning tool signatures including Responder, Inveigh, ntlmrelayx, smbrelayx, MultiRelay, and their Python-based variants. Assigns a cumulative suspicion score across five indicator categories. Results sorted by SuspicionScore descending to surface the highest-confidence events first. A score of 2 or higher indicates multiple corroborating indicators and warrants immediate triage.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Authorized penetration testing activities on the same network segment where these tools are explicitly sanctioned
Security research or training environments running Responder or Inveigh in isolated lab infrastructure
Network debugging Python scripts that reference LLMNR or NBT-NS in legitimate diagnostic contexts
Purple team exercises where Responder execution is pre-approved and documented in change management
Security assessment platforms bundling Inveigh for authorized internal network assessments

Download portable Sigma rule (.yml)

Other platforms for T1557.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.
Test 2Responder Python Execution in Analyze Mode
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.
Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.
Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect LLMNR/NBT-NS Poisoning and SMB Relay in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1557.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1557.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox