Worklet: Disable LLMNR (Security Risk)

Hi Automox Alive Community!

LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks. Don’t take my word for it though, a quick google shows the prevalence of articles discussing the impact and risk associated.

As a result, I’ve decided to create a worklet for state toggle concerning this issue for Windows.

Evaluation:

#############################################
$regPath = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
# Compare current with desired and exit accordingly.
# 1 for Compliant, 0 for Non-Compliant
try {
  # Retrieve current value for comparison
  $currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty -ErrorAction Stop).$regProperty
}
catch [Exception]{
  write-output "$_.Exception.Message"
  exit 1
}
if ($currentValue -eq $desiredValue) {
  # already disabled
  exit 0
} else {
  # not disabled
  exit 1
}

Remediation:

#############################################
$regPath = "HKLM:\SOFTWARE\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
try {
  If (-not(Test-Path $regPath)){
    New-Item -Path $regPath -Force | Out-Null
    New-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue -PropertyType DWORD -Force | Out-Null
  }
  Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue
  exit 0
}
catch [Exception]{
  write-output "$_.Exception.Message"
  exit 1
}

I’ve also added this script to my GitHub.

3 Likes