This note documents detection patterns related to LLMNR / Responder Poisoning within Windows environments.
Direct Indicators
| Log Source | Event ID / Error Code | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Custom Script / EventLog | LLMNRDetection | LLMNR query answered by rogue responder | Critical | Direct indicator when custom PowerShell detection logs rogue LLMNR responders. Review returned IP addresses. |
| Sysmon | 22 | DNS query | Critical | Detect failed hostname lookups leading to LLMNR fallback. Suspicious if mistyped names resolve to attacker-controlled IP. |
| Security | 4648 | Explicit credentials used | High | Victim may authenticate explicitly to rogue SMB share exposed by attacker. |
| Security | 4624 | Successful logon | High | NTLM authentication to rogue host after poisoning. Review target host and source account. |
| Sysmon | 3 | Network connection | Critical | Victim initiates SMB/HTTP connection toward responder host (ports 445, 80, 139). |
| Sysmon | 1 | Process creation | Medium | Useful when victim launches explorer, cmd, or script triggering mistyped UNC access. |
| Sysmon | 7 | Image loaded | Low-Medium | Network DLL activity may appear depending on calling process. |
| PowerShell | 4104 | Script block logging | High | Detects manual UNC testing or scripts generating mistyped network calls. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Failed hostname lookup | Non-existent hostname queried | Critical | Triggers LLMNR fallback mechanism. |
| Mistyped UNC path | Access to invalid file share | Critical | Common trigger for Responder attacks. |
| SMB connection to unusual host | Victim authenticates to rogue machine | Critical | Strong poisoning evidence. |
| IPv6 local response | ::1 or rogue IPv6 responder appears | High | Responder frequently abuses IPv6 first. |
| Repeated failed share access | Multiple unresolved file requests | High | Often attacker-induced or user typo. |
Common Tools
| Tool | Usage |
|---|---|
| Responder | LLMNR / NBT-NS poisoning and NTLM capture |
| Inveigh | PowerShell-based responder alternative |
| Metasploit SMB Capture | Captures NTLM credentials |
| Custom rogue SMB listener | Manual credential collection |
Relevant Artifacts
- Sysmon Event ID 22 DNS queries
- Security logs (4648, 4624)
- Sysmon Event ID 3 network connections
- SMB authentication logs
- PowerShell detection logs
- Packet captures showing LLMNR multicast traffic
- EDR network telemetry
- DNS Client Operational logs
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
- T1187 Forced Authentication
Decision Tree
-
Is suspicious hostname resolution present?
- Identify non-existent hostname queries.
-
Did victim fall back to LLMNR?
- Check Sysmon 22 or multicast traffic.
-
Was rogue responder present?
- Review returned IP addresses.
-
Pivot:
- Rogue IP → inspect SMB authentication.
- Victim host → inspect process causing query.
- Account → check 4648 / 4624.
-
Confirm credential exposure
- Determine whether NTLM authentication reached attacker host.
Example Detection Templates
KQL
DeviceNetworkEvents
| where RemotePort in (5355,445)
| summarize count() by InitiatingProcessAccountName, RemoteIP, bin(TimeGenerated,5m)
DeviceEvents
| where ActionType == "DnsQueryResponse"
| where AdditionalFields contains "QueryName"
EQL
any where event.code == "22"
Sigma
title: LLMNR Poisoning Detection
id: llmnr-poisoning-detection
status: experimental
description: Detects suspicious hostname resolution consistent with LLMNR poisoning
logsource:
product: windows
category: dns_query
detection:
selection:
EventID: 22
condition: selection
fields:
- QueryName
- QueryResults
falsepositives:
- Legitimate failed hostname lookups
level: high
tags:
- attack.credential_access
- attack.t1557.001
Splunk
index=main earliest=1690290078 latest=1690291207 SourceName=LLMNRDetection
| table _time, ComputerName, SourceName, Message
index=main earliest=1690290078 latest=1690291207 EventCode=22
| table _time, Computer, user, Image, QueryName, QueryResults
index=main earliest=1690290814 latest=1690291207 EventCode=4648
| table _time, EventCode, source, name, user, Target_Server_Name, Message
| sort 0 _time
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| LLMNR | Disable LLMNR via GPO | Critical | Primary prevention |
| NBT-NS | Disable NetBIOS Name Service | High | Reduces poisoning surface |
| SMB Signing | Enforce SMB signing | Critical | Prevents relay |
| DNS Hygiene | Ensure correct DNS registration | Medium | Reduces fallback events |
| Monitoring | Alert on rogue LLMNR responses | High | Strong detection surface |