S0174: Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]
Analyst context for executives and security teams
Responder matters because it targets a common enterprise weakness: systems that fall back to local name-resolution protocols and expose authentication material on the network. For leaders, the practical risk is not the tool itself but whether internal networks, Windows name resolution, and NTLM-related controls allow credentials to be captured or relayed after an attacker gains a foothold.
Executive priority
Prioritize validation where credential theft could interrupt operations or accelerate lateral movement: Windows-heavy networks, flat internal segments, privileged administrator workflows, and environments where audit evidence must show control over credential exposure. The ATT&CK relationships show Responder has been used by multiple named groups and a campaign, so coverage should be treated as a baseline internal-network and identity-protection control, not a niche malware signature problem.
Technical view
Responder is described by MITRE as an open source tool for LLMNR, NBT-NS, and mDNS poisoning with rogue HTTP, SMB, MSSQL, FTP, and LDAP authentication services supporting NTLM and Basic HTTP authentication. ATT&CK maps it to Network Sniffing and Name Resolution Poisoning and SMB Relay. SOC and IR teams should validate whether they can see suspicious local name-resolution responses, rogue authentication prompts, NTLM authentication to unexpected hosts, and traffic patterns consistent with credential capture or relay attempts. Because the tool object has no ATT&CK-provided detection text and no platform field, detections should be built from the related techniques and local network architecture rather than assuming a single endpoint artifact.
Likely telemetry
- LLMNR, NBT-NS, and mDNS query/response visibility from network sensors or packet capture points
- Windows authentication logs showing NTLM use and authentication to unusual internal hosts
- SMB, HTTP, MSSQL, FTP, and LDAP connection metadata, especially to nonstandard or user workstations
- DNS and local name-resolution telemetry showing failed DNS followed by local broadcast or multicast resolution
- Endpoint or network evidence of promiscuous-mode capture where available
Detection direction
- Confirm whether local name-resolution protocols are visible to monitoring; many blind spots occur because this traffic stays inside a subnet.
- Tune for unauthorized systems answering LLMNR, NBT-NS, or mDNS requests, especially when followed by NTLM authentication attempts.
- Correlate name-resolution poisoning indicators with SMB relay or authentication events rather than relying on tool-name matching.
- Baseline legitimate legacy behavior to reduce false positives from printers, older Windows systems, and service-discovery traffic.
- Use the related ATT&CK techniques T1040 and T1557.001 as the detection anchor because MITRE provides no official detection guidance for the Responder software object.
Mitigation priorities
- Reduce reliance on LLMNR, NBT-NS, and mDNS where business operations allow, especially on Windows segments tied to privileged access.
- Harden NTLM usage and authentication flows so captured or relayed material has less value.
- Segment internal networks so local broadcast poisoning cannot easily affect high-value systems or administrative workstations.
- Review service accounts, privileged administrator practices, and exposure of SMB/LDAP/MSSQL/FTP authentication on internal networks.
- Document monitoring and control decisions as compliance evidence for credential-protection and internal lateral-movement controls.
Analyst notes and limits
The supplied ATT&CK data identifies Responder as open source software and relates it to credential-access, collection, and discovery techniques through Network Sniffing and Name Resolution Poisoning and SMB Relay. Relationships also indicate use by APT28, Lazarus Group, Ember Bear, and Operation Dream Job, but that does not by itself prove current targeting of any specific organization.
MITRE provides no official detection text, no tool platform field, and no aliases or labels in the supplied object. Local conclusions require environment-specific evidence about Windows name-resolution settings, NTLM exposure, subnet monitoring, and legitimate legacy protocol use.
Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1040 | Network Sniffing | Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.CitationGitHub Responder |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Responder is used to poison name services to gather hashes and credentials from systems within a local network.CitationGitHub Responder |
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 35b97f1b71ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Responder
Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
Open source URL -
[2]
mitre-attack S0174Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.