DET0462 Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows

Item	Value
ID	DET0462
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)

Analytics

Windows

AN1274

Detects anomalous network traffic on UDP 5355 (LLMNR) and UDP 137 (NBT-NS) combined with unauthorized SMB relay attempts, registry modifications re-enabling multicast name resolution, or suspicious service creation indicative of adversary-in-the-middle credential interception.

Log Sources

Data Component	Name	Channel
Service Creation (DC0060)	WinEventLog:Security	EventCode=4697
Windows Registry Key Modification (DC0063)	WinEventLog:Security	Registry key modification HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
Network Traffic Content (DC0085)	NSM:Flow	Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts
Network Traffic Flow (DC0078)	NSM:Flow	Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions

Mutable Elements

Field	Description
TrustedResponderList	Defines expected LLMNR/NBT-NS responders to tune out legitimate services.
TimeWindow	Correlation period for linking poisoned name resolution with SMB relay attempts.
SMBServiceBaseline	Normal services and SMB relay patterns in the enterprise environment.