Hi Automox Alive Community!
LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks. Don’t take my word for it though, a quick google shows the prevalence of articles discussing the impact and risk associated.
As a result, I’ve decided to create a worklet for state toggle concerning this issue for Windows.
Evaluation:
#############################################
$regPath = "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
# Compare current with desired and exit accordingly.
# 1 for Compliant, 0 for Non-Compliant
try {
# Retrieve current value for comparison
$currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty -ErrorAction Stop).$regProperty
}
catch [Exception]{
write-output "$_.Exception.Message"
exit 1
}
if ($currentValue -eq $desiredValue) {
# already disabled
exit 0
} else {
# not disabled
exit 1
}
Remediation:
#############################################
$regPath = "HKLM:\SOFTWARE\policies\Microsoft\Windows NT\DNSClient"
$regProperty = "EnableMulticast"
$desiredValue = '0'
#############################################
try {
If (-not(Test-Path $regPath)){
New-Item -Path $regPath -Force | Out-Null
New-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue -PropertyType DWORD -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue
exit 0
}
catch [Exception]{
write-output "$_.Exception.Message"
exit 1
}
I’ve also added this script to my GitHub.
