🐾 - 🚨 LLMNR protocol 🤕 in use - Multicast query from Windows 🪟 observed

SID: 3300145Rev: 21 views
Sourcepawpatrules
CreatedJuly 19, 2022
UpdatedNovember 13, 2022
Classificationpolicy-violation
alert udp any any -> 224.0.0.252 5355 (msg:"🐾 - 🚨 LLMNR protocol 🤕 in use - Multicast query from Windows 🪟 observed"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|00 01|"; endswith; reference:url,https://www.microsoft.com/en-us/research/publication/link-local-multicast-name-resolution-llmnr/; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2022_07_19, updated_at 2022_11_13; sid:3300145; rev:2; classtype:policy-violation;)

References

urlhttps://www.microsoft.com/en-us/research/publication/link-local-multicast-name-resolution-llmnr/
urlhttps://attack.mitre.org/techniques/T1557/001/
urlhttps://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo

Metadata

created at2022_07_19
updated at2022_11_13

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!