Esc
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

(ATT&CK® Technique)
Definition

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] --> |produces| IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"]; class T1557001 OffensiveTechniqueNode;
        class IntranetMulticastNetworkTraffic ArtifactNode; click IntranetMulticastNetworkTraffic href "/dao/artifact/d3f:IntranetMulticastNetworkTraffic";
        click T1557001 href "/offensive-technique/attack/T1557.001/"; click IntranetMulticastNetworkTraffic href "/dao/artifact/d3f:IntranetMulticastNetworkTraffic";     T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] --> |produces| NetworkTraffic["Network Traffic"]; class T1557001 OffensiveTechniqueNode;
        class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
        click T1557001 href "/offensive-technique/attack/T1557.001/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                 PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";  ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";   RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                                  Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";     Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";           ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class ConnectionAttemptAnalysis DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                       NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";     NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | NetworkTraffic["Network Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";       UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1557001["LLMNR/NBT-NS Poisoning and SMB Relay"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class IntranetMulticastNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";             UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";
json