ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

LLMNR Activity

Risk Factors

LLMNR is an insecure protocol that enables LLMNR poisoning attacks. LLMNR is typically disabled. But if LLMNR is enabled and DNS servers are unavailable, a device might try to resolve a hostname by sending a broadcast query to internal devices over LLMNR. An LLMNR poisoning attack occurs when an attacker, who is listening on the network, responds to an LLMNR request and impersonates the host. If the attacker can collect user credentials during the attack, they can gain unauthorized access to a device.

Kill Chain

Hardening

Risk Score

61

Next in Hardening: NTLMv1 Authentication

Attack Background

Mitigation Options

If LLMNR is not required for your Windows environment, disable LLMNR in local security settings or by group policy
Ensure secure password policies are applied to your network devices to offset potential damage in the aftermath of an attack

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right