title: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
id: df00tech-t1557-001
status: experimental
description: "Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement."
references:
  - https://attack.mitre.org/techniques/T1557/001/
  - https://df00tech.com/detections/T1557.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1557.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized penetration testing or red team exercises where Responder or Inveigh is explicitly sanctioned via change ticket
  - Network diagnostic tools or Wireshark-based capture scripts that bind to UDP 5355/137 during authorized network analysis
  - Internal network assessment platforms that bundle Inveigh for authorized discovery scans
  - Python development or training environments running LLMNR/NBT-NS scripts in isolated lab networks
  - Security awareness training platforms that simulate poisoning attacks in controlled lab environments
level: high