Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay


Adversaries may attempt to position themselves between two or more networked devices using an adversary - in -the - middle(AiTM) technique to support follow - on behaviors such as Network Sniffing or Transmitted Data Manipulation.By abusing features of common networking protocols that can determine the flow of network traffic(e.g.ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenicated ScanSMBInteractive loginsPlugin ID: 161502
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenicated ScanSMBLLMNR StatusPlugin ID: 160301
Tenable Identity ExposurePassword SyncActive DirectoryPrivileged AD UserRPC (135 + high ports)User PasswordPlugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-WEAK-USER-PASSWORD


Microsoft Windows Logged On Users

Link-Local Multicast Name Resolution (LLMNR) Service Detection

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access, Collection

Platform: Windows

Tenable Release Date: 2022 Q2