The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Check if LLMNR is enabled

Description: This query looks to see if LLMNR is enabled.  Part 2 of 2 for stopping Responder.

What The Data Shows: This query shows Windows machines that have LLMNR enabled. LLMNR like NetBIOS can be abused and poisioned so victims can communicate with malicious machines on the network. LLMNR should also be disabled to reduce attackers possibly obtaining NTLMv2 hashes with Responder or similiar tools.  More info can be found at https://attack.mitre.org/techniques/T1171/

SQL:

SELECT 
CASE COUNT(*)
WHEN 0 THEN "DISABLED"
ELSE "ENABLED"
END "LLMNR STATUS"
* from registry
WHERE key like "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" and name="EnableMulticast" and data !=0;

 

3 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur see my comment on your other query.

ksnihur
Contributor II

@jnelson, edited as requested.

jnelson
Carbon Black Employee
Status changed to: Approved