Detecting credential theft as it happens is the aim of Decipio, a new community security tool from Arctic Wolf. The tool targets a well-documented Windows attack vector, aiming to alert defenders before stolen credentials are weaponised inside a network.

Decipio operates as a passive network tripwire. It monitors for exploitation of LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) - two legacy Windows name-resolution protocols still enabled by default in all current Windows versions.

When an attacker on the same network segment poisons these protocols, victim machines send authentication credentials directly to the attacker. Arctic Wolf says Decipio is designed to generate a binary alert at this moment, requiring minimal tuning. These performance claims could not be independently confirmed.

The technique - catalogued by MITRE ATT&CK as sub-technique T1557.001 - has been a standard tool in attackers’ arsenals since at least 2012. Both LLMNR and NBT-NS remain enabled by default in Windows 11 and Windows Server 2025.

The US Cybersecurity and Infrastructure Security Agency (CISA) published a formal countermeasure in March 2025 recommending LLMNR be disabled entirely. Microsoft is separately pursuing a phased roadmap to deprecate NTLM - the authentication protocol underpinning these attacks - by default in future Windows releases.

Ismael Valenzuela, VP of Threat Intelligence Research at Arctic Wolf, said the tool was designed to shift defenders from reactive to proactive. “As attackers automate faster and operate more quietly, defenders can’t afford to only respond after the damage is done,” Valenzuela said.

“Decipio represents a defense-first approach to AI-powered attacks that is designed to catch threat actors the moment they reveal themselves.”

Decipio is being released as a limited, gated community beta available only to verified security practitioners. Arctic Wolf said fully open-sourcing the tool risked helping adversaries understand detection boundaries, citing AI-assisted scraping and automated reuse. The tool will be formally introduced at the SANS AI Summit, though the event date and location were not specified in the announcement.

https://arcticwolf.com/decipio/