Worklet: Disable LLMNR (Security Risk) - Windows

  • 16 October 2020
  • 1 reply
  • 118 views

Userlevel 3
Badge

Hi Automox Alive Community!


LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks. Don’t take my word for it though, a quick google shows the prevalence of articles discussing the impact and risk associated.


As a result, I’ve decided to create a worklet for state toggle concerning this issue for Windows.


Evaluation:


#############################################
$regPath = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
# Compare current with desired and exit accordingly.
# 1 for Compliant, 0 for Non-Compliant
try {
# Retrieve current value for comparison
$currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty -ErrorAction Stop).$regProperty
}
catch [Exception]{
write-output "$_.Exception.Message"
exit 1
}
if ($currentValue -eq $desiredValue) {
# already disabled
exit 0
} else {
# not disabled
exit 1
}

Remediation:


#############################################
$regPath = "HKLM:\SOFTWARE\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
try {
If (-not(Test-Path $regPath)){
New-Item -Path $regPath -Force | Out-Null
New-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue -PropertyType DWORD -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue
exit 0
}
catch [Exception]{
write-output "$_.Exception.Message"
exit 1
}

I’ve also added this script to my GitHub.


1 reply

Userlevel 5
Badge

This is a really great Worklet @ncolyer . Thanks for sharing to the community!

Reply