Detections
Analytics
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Description
Adversaries may attempt to position themselves between two or more networked devices using an adversary - in -the - middle(AiTM) technique to support follow - on behaviors such as Network Sniffing or Transmitted Data Manipulation.By abusing features of common networking protocols that can determine the flow of network traffic(e.g.ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenicated Scan | SMB | Interactive logins | Plugin ID: 161502 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenicated Scan | SMB | LLMNR Status | Plugin ID: 160301 |
| Tenable Identity Exposure | Password Sync | Active Directory | Privileged AD User | RPC (135 + high ports) | User Password | Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-WEAK-USER-PASSWORD |
References
Microsoft Windows Logged On Users
Link-Local Multicast Name Resolution (LLMNR) Service Detection
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access, Collection
Technique: Adversary-in-the-Middle
Sub-Technique: LLMNR/NBT-NS Poisoning and SMB Relay
Platform: Windows
Products Required: Tenable Vulnerability Management and Tenable Identity Exposure
Tenable Release Date: 2022 Q2