EXPLORE
Sign In
← Back to Explore
T1557.001

LLMNR/NBT-NS Poisoning and SMB Relay

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same ...

Windows
22
Detections
3
Sources
2
Threat Actors

BY SOURCE

10sigma8elastic4splunk_escu

PROCEDURES (18)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Privilege2 detections

Auto-extracted: 2 detections for privilege

Base642 detections

Auto-extracted: 2 detections for base64

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Base641 detections

Auto-extracted: 1 detections for base64

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Base641 detections

Auto-extracted: 1 detections for base64

Dns1 detections

Auto-extracted: 1 detections for dns

Service1 detections

Auto-extracted: 1 detections for service

Inject1 detections

Auto-extracted: 1 detections for inject

THREAT ACTORS (2)

Lazarus GroupWizard Spider

DETECTIONS (22)

Attempts of Kerberos Coercion Via DNS SPN Spoofing
sigmahigh
Creation of a DNS-Named Record
elasticlow
DNS Kerberos Coercion
splunk_escu
HackTool - ADCSPwn Execution
sigmahigh
HackTool - Impacket Tools Execution
sigmahigh
Local Privilege Escalation Indicator TabTip
sigmahigh
Potential Computer Account NTLM Relay Activity
elasticmedium
Potential Kerberos Coercion via DNS-Based SPN Spoofing
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Kerberos SPN Spoofing via Suspicious DNS Query
elastichigh
Potential Machine Account Relay Attack via SMB
elastichigh
Potential NTLM Relay Attack against a Computer Account
elastichigh
Potential PetitPotam Attack Via EFS RPC Calls
sigmamedium
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Potential SMB Relay Attack Tool Execution
sigmacritical
RottenPotato Like Attack Pattern
sigmahigh
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
sigmahigh
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
sigmahigh
WinDivert Driver Load
sigmahigh
Windows Credential Target Information Structure in Commandline
splunk_escu
Windows Kerberos Coercion via DNS
splunk_escu
Windows Short Lived DNS Record
splunk_escu