Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1274: Analytic 1274

Detects anomalous network traffic on UDP 5355 (LLMNR) and UDP 137 (NBT-NS) combined with unauthorized SMB relay attempts, registry modifications re-enabling multicast name resolution, or suspicious service creation indicative of adversary-in-the-middle credential interception.

EnterpriseAN1274AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Windows name-resolution fallback traffic such as LLMNR and NBT-NS can become a credential-interception risk when it appears with signs of SMB relay activity, registry changes that re-enable multicast name resolution, or suspicious service creation. For leaders, the decision value is not just whether UDP 5355 or UDP 137 exists, but whether the organization can prove it would notice unsafe name-resolution behavior tied to credential exposure and lateral movement risk.

Executive priority

Prioritize this as an identity and Windows resilience validation item. Security leaders should ask whether multicast name-resolution settings are intentionally managed, whether SMB relay indicators are visible to the SOC, and whether registry and service-creation monitoring is sufficient for incident response evidence. This can support control prioritization around Windows hardening, credential protection, managed detection content, and audit-ready evidence that risky name-resolution behavior is monitored or disabled where appropriate.

Technical view

For Windows environments, validate telemetry and detection logic that correlates anomalous UDP 5355 LLMNR and UDP 137 NBT-NS traffic with one or more higher-risk signals: unauthorized SMB relay attempts, registry modifications that re-enable multicast name resolution, or suspicious service creation. Because ATT&CK provides no standalone detection implementation for this analytic, SOC teams should treat it as a correlation requirement rather than a single-event rule. Detection engineering should define what 'anomalous' means locally, baseline legitimate name-resolution traffic, and review service creation and registry changes in temporal proximity to suspicious network activity.

Likely telemetry

  • Windows network telemetry showing UDP 5355 LLMNR traffic
  • Windows network telemetry showing UDP 137 NBT-NS traffic
  • SMB authentication or relay-attempt indicators where available
  • Windows registry modification events related to multicast name-resolution configuration
  • Windows service creation events

Detection direction

  • Confirm that Windows endpoints or network sensors collect UDP 5355 and UDP 137 activity with source, destination, and timing context.
  • Tune baselines for legitimate LLMNR and NBT-NS traffic so the analytic does not alert only on normal legacy name-resolution behavior.
  • Correlate network anomalies with registry changes that re-enable multicast name resolution rather than treating registry changes in isolation.
  • Correlate suspicious service creation with nearby name-resolution and SMB relay indicators to improve triage value.
  • Document blind spots where endpoint telemetry, network visibility, registry auditing, or service-creation logging is incomplete.

Mitigation priorities

  • Establish whether LLMNR and NBT-NS are required in the Windows environment and manage those settings explicitly.
  • Harden Windows name-resolution and SMB-related configurations according to organizational policy and compatibility requirements.
  • Ensure registry and service-creation auditing is enabled where required for SOC and incident response workflows.
  • Use detection validation or tabletop exercises to confirm analysts can connect name-resolution anomalies with credential-interception indicators.
  • Maintain exception documentation for systems that legitimately require legacy name-resolution behavior.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure. It is scoped to Windows and describes a correlation of LLMNR/NBT-NS traffic with SMB relay attempts, registry changes, or service creation. No ATT&CK relationships were supplied, so this take does not infer associated techniques, adversaries, software, campaigns, or mitigations beyond what the object states.

The official detection field is not provided, tactics are not specified, and no relationship context is supplied. Local baselines are required to define anomalous UDP 5355 and UDP 137 traffic, and local logging configuration determines whether registry, service-creation, and SMB relay evidence is available.

Official MITRE ATT&CK definition

Analytic 1274

Detects anomalous network traffic on UDP 5355 (LLMNR) and UDP 137 (NBT-NS) combined with unauthorized SMB relay attempts, registry modifications re-enabling multicast name resolution, or suspicious service creation indicative of adversary-in-the-middle credential interception.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
15949792910b5064...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 15949792910b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1274
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use