This artifact allows to detect responder in the environment https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/
name: Exchange.Windows.System.PowerShell.DetectResponder
author: "Dhruv Majumdar, Jamie Bhoohe"
description: |
This artifact allows to detect responder in the environment
https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/
type: CLIENT_EVENT
required_permissions:
- EXECVE
precondition:
SELECT OS From info() where OS = 'windows'
parameters:
- name: PowerShellExe
default: "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
- name: ReloadPeriod
description: Checks for responder activity
default: "600"
type: int
sources:
- query: |
SELECT * FROM foreach(
row={
SELECT * FROM clock(period=ReloadPeriod)
},
query={
SELECT * FROM execve(argv=[PowerShellExe,
"-ExecutionPolicy", "Unrestricted", '''$llmnr = (Resolve-DnsName -LlmnrOnly evilname) 2> $NULL
if ($llmnr) {
$evil_IP = $llmnr.IPAddress -Join ", "
$msg = "Subject: HIGH SEV - Responder Detcted `nDomain: $env:USERDNSDOMAIN `nHostname: ${env:computername} `nRouge LLMNR Server: $evil_IP"
echo $msg
}'''])
WHERE log(message="Responder Detection Running")
})