Built off the open source project Osquery
Description: This query looks to see if LLMNR is enabled. Part 2 of 2 for stopping Responder.
What The Data Shows: This query shows Windows machines that have LLMNR enabled. LLMNR like NetBIOS can be abused and poisioned so victims can communicate with malicious machines on the network. LLMNR should also be disabled to reduce attackers possibly obtaining NTLMv2 hashes with Responder or similiar tools. More info can be found at https://attack.mitre.org/techniques/T1171/
SQL:
SELECT
CASE COUNT(*)
WHEN 0 THEN "DISABLED"
ELSE "ENABLED"
END "LLMNR STATUS"
* from registry
WHERE key like "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" and name="EnableMulticast" and data !=0;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.