MazeRunner’s Responder Monitor (Pass-the-Hash) periodically broadcasts deceptive credentials from endpoints and decoys. Attackers listening in on the network, using Responder.py or a similar tool, will capture these broadcasts and potentially use these deceptive credentials. The Responder Monitor alerting is based on detected NBNS poisoning and stolen hashed credentials, and the use of these credentials on the network.
This activates monitoring for use of Responder.py tool on the network subnet of the decoy, with decoys being placed throughout the environment and on different VLANs. Alternatively, you can activate monitoring from a specific endpoint via the Responder Monitor deployment feature; this allows monitoring for use of Responder.py tool on the network subnet of endpoints.
For more information on MazeRunner’s Responder capabilities, check out this blog post.