(Attempting) to Detect Responder with Sysmon

This blog post discusses detecting the Responder tool using Sysmon, a Windows system monitoring utility.

What is Responder?

Responder is a penetration testing tool available at https://github.com/lgandx/Responder. It responds to network requests by impersonating legitimate servers, particularly useful for capturing authentication credentials during network reconnaissance.

The tool becomes dangerous when users mistype network share paths. An attacker running Responder can intercept these requests, capture NTLM hashes, and potentially crack passwords or perform pass-the-hash attacks.

Detection Approach

I propose using Sysmon Event ID 3 (Network Connect) logs to identify suspicious SMB connections.

Key Concept

Intentionally browse to a non-existent file share, then monitor for unexpected responses on port 445 (SMB). Any response from an unauthorized system indicates potential Responder activity.

PowerShell Script Example

The detection script:

1. Attempts connection to a fake share
2. Queries Sysmon logs for network connections
3. Alerts on port 445 traffic to non-whitelisted IPs

foreach($Event3 in $EventsID3){
    if(($Event3.EventDataDestinationPort -eq 445) -and
       ($Event3.EventDataDestinationIp -notcontains "192.168.1.142")){
        Write-Host "SMB Response Sent to Untrusted": $Event3.EventDataDestinationIp
    }
}

Important Limitations

This is just another layer in your defenses rather than comprehensive protection. Better approaches include:

• Properly configured Intrusion Detection Systems
• Disabling legacy protocols (NetBIOS over TCP/IP)
• Network monitoring and analysis

The script could be deployed as a scheduled task to continuously probe for unauthorized SMB responders.