Adversaries may use Responder to poison LLMNR, NBT-NS, and MDNS protocols to intercept network traffic and deploy rogue authentication servers for credential harvesting. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential lateral movement and exfiltration attempts early.
YARA Rule
rule hacktool_multi_responder_py
{
meta:
description = "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server"
reference = "http://www.c0d3xpl0it.com/2017/02/compromising-domain-admin-in-internal-pentest.html"
author = "@fusionrace"
id = "dbe2f8e0-21fa-55f4-90e1-c6bc2b5403f2"
strings:
$s1 = "Poison all requests with another IP address than Responder's one." fullword ascii wide
$s2 = "Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned." fullword ascii wide
$s3 = "Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network." fullword ascii wide
$s4 = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query." fullword ascii wide
$s5 = "Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)" fullword ascii wide
$s6 = "31mOSX detected, -i mandatory option is missing" fullword ascii wide
$s7 = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query." fullword ascii wide
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Legitimate Network Discovery Tool Usage
Description: A network administrator is using Nmap or Angry IP Scanner to perform a routine network discovery, which may trigger LLMNR/NBT-NS/MDNS queries.
Filter/Exclusion: process.name != "nmap" and process.name != "angryipscanner"
Scenario: Scheduled System Maintenance Task
Description: A Windows Task Scheduler job is running a script that performs DNS resolution or network configuration, which may generate LLMNR or MDNS traffic.
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "cmd.exe" and not (process.parent.name == "taskeng.exe")
Scenario: Internal DNS Server Query
Description: A system is querying an internal DNS server for host resolution, which may resemble LLMNR or MDNS traffic.
Filter/Exclusion: destination.port != 53 or destination.ip != internal_dns_server_ip
Scenario: Active Directory Replication
Description: An Active Directory replication process is occurring between domain controllers, which may involve NBT-NS or LDAP traffic.
Filter/Exclusion: process.name == "dcdiag.exe" or process.name == "repadmin.exe" or process.name == "ntdsutil.exe"
Scenario: Legitimate HTTP Server Testing
Description: A developer is testing a local HTTP server (e.g., using Python’s http.server or nginx in development mode), which may trigger HTTP-related alerts.
Filter/Exclusion: process.name != "python" and process.name != "nginx" or destination.port != 80 and destination.port != 443