Skip to main content

Hi Automox Alive Community!



LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks. Don’t take my word for it though, a quick google shows the prevalence of articles discussing the impact and risk associated.



As a result, I’ve decided to create a worklet for state toggle concerning this issue for Windows.



Evaluation:



#############################################


$regPath = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"


$regProperty = "EnableMulticast"


$desiredValue = '0'


#############################################


# Compare current with desired and exit accordingly.


# 1 for Compliant, 0 for Non-Compliant


try {


  # Retrieve current value for comparison


  $currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty -ErrorAction Stop).$regProperty


}


catch tException]{


  write-output "$_.Exception.Message"


  exit 1


}


if ($currentValue -eq $desiredValue) {


  # already disabled


  exit 0


} else {


  # not disabled


  exit 1


}


Remediation:



#############################################


$regPath = "HKLM:\SOFTWARE\policies\Microsoft\Windows NT\DNSClient"


$regProperty = "EnableMulticast"


$desiredValue = '0'


#############################################


try {


  If (-not(Test-Path $regPath)){


    New-Item -Path $regPath -Force | Out-Null


    New-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue -PropertyType DWORD -Force | Out-Null


  }


  Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue


  exit 0


}


catch tException]{


  write-output "$_.Exception.Message"


  exit 1


}


I’ve also added this script to my GitHub.

This is a really great Worklet @ncolyer . Thanks for sharing to the community!

Reply


Terms & ConditionsCookie settings