Detects anomalous network traffic on UDP 5355 (LLMNR) and UDP 137 (NBT-NS) combined with unauthorized SMB relay attempts, registry modifications re-enabling multicast name resolution, or suspicious service creation indicative of adversary-in-the-middle credential interception.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=4697 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | Registry key modification HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast |
| Network Traffic Content (DC0085) | NSM:Flow | Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts |
| Network Traffic Flow (DC0078) | NSM:Flow | Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions |
| Field | Description |
|---|---|
| TrustedResponderList | Defines expected LLMNR/NBT-NS responders to tune out legitimate services. |
| TimeWindow | Correlation period for linking poisoned name resolution with SMB relay attempts. |
| SMBServiceBaseline | Normal services and SMB relay patterns in the enterprise environment. |