detection.wiki

ATT&CK coverage › Technique

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Events covered

11 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon6Driver loaded
Sysmon22DNSEvent (DNS query)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4662An operation was performed on an object.
Security-Auditing4688A new process has been created.
Security-Auditing5136A directory service object was modified.
Security-Auditing5137A directory service object was created.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
DistributedCOM10001Unable to start a DCOM Server: param3 as param4/param5.

Authoring guide

Patterns shared across the 19 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
user5ends_with 4, ne 1, eq 1$, ANONYMOUS LOGON
source.ip4ne 4127.0.0.1, ::1, ::
LogonType4eq 4network, Network, 3
CommandLine4match 3, ends_with 1, eq 1BAAAA, UWhRCA, --adcs , --port , .exe -c "{
ObjectClass3eq 3"dnsNode", dnsNode
AuthenticationPackageName3eq 3NTLM, Kerberos
computer_name3starts_with 3
AdditionalInfo2wildcard 1, eq 1*UWhRC*BAAAA*MicrosoftDNS*, "*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
ObjectDN2wildcard 1, eq 1*UWhRC*BAAAA*MicrosoftDNS*, "*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
file.name2eq 2efsrpc, FssagentRpc, eventlog
Image2match 2, ends_with 1\sambaPipe_windows.exe, \smbrelayx, \opdump_windows.exe, PetitPotam, \ntlmrelayx
EventID2eq 2"4662", "5136", "5137", 5137, 5136
host.name1starts_with 1
param11eq 1C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
param31eq 1{054AAE20-4BEA-4347-8A35-64A533254A9D}

Top indicator values (143 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
source.ipne::147
userends_with$418
source.ipne127.0.0.148
AuthenticationPackageNameeqNTLM22
file.nameeqsamr2
file.nameeqdnsserver2
file.nameeqdhcpserver2
file.nameeqefsrpc2
file.nameeqsrvsvc2
file.nameeqlsass2
file.nameeqnetdfs2
file.nameeqSpoolss2
file.nameeqnetlogon2
file.nameeqFssagentRpc2
file.nameeqwinreg2
file.nameeqWinsPipe2
LogonTypeeqnetwork2
file.nameeqlsarpc2
file.nameeqeventlog2
Imagematch\ntlmrelayx23

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userends_with$1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 8 rules

Elastic 6 rules

Splunk 4 rules

Kusto Query Language 1 rule