Contact Sales
+1 (614) 423-6718
Support
Blog
Partners
Downloads

AD domain allowing multicast name resolution (LLMNR)

Home > Threat Directory > AD domain allowing multicast name resolution (LLMNR)

AD domain allowing multicast name resolution (LLMNR)

Cayosoft Threat Definition CTD-000165

Table of Contents

Risk Summary
Description
Real-World Scenario
How to Detect (Cayosoft Guardian)
Remediation Steps
How to Prevent It
FAQ
References
Final Thought
Protect Your Active Directory

Tune into Guardians of the Directory Podcast.

Guardians of the Directory
YouTube
Spotify
Apple

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe now

Risk Summary

Multicast Name Resolution (LLMNR) is a legacy protocol for name resolution in networks without DNS servers.

  • Severity: Medium
  • Platform: Active Directory
  • Category: Infrastructure
  • MITRE ATT&CK Tactics: Credential Access, Discovery, Lateral Movement
  • MITRE D3FEND Tactics: D3-ACH (Application Configuration Hardening)

Description

Multicast Name Resolution (LLMNR) is a legacy protocol for name resolution in networks without DNS servers. In an Active Directory domain, LLMNR can expose the environment to spoofing and credential-harvesting attacks, such as responder attacks. Attackers can intercept and manipulate LLMNR requests to gain user credentials or redirect traffic.
Disabling LLMNR mitigates these risks by preventing unauthorized interception of name resolution requests. However, this change may impact legacy applications or older systems that rely on LLMNR or NetBIOS for network communication.

Cayosoft Guardian Protector™

Real-World Scenario

A user mistypes a fileserver name on a Wi-Fi network. Because LLMNR is allowed, the workstation multicasts a query that an attacker’s Responder host answers, tricking the client to authenticate and leak NTLM challenge/response material. The attacker cracks a weak hash offline, reuses the credentials to access a jump server, and pivots laterally using SMB. To avoid obvious detection, the attacker throttles traffic and operates during maintenance windows. Cayosoft Guardian flags CTD-000165: AD domain allowing multicast name resolution (LLMNR) so administrators can enforce the GPO and disable LLMNR before credentials are harvested.

Stop Privilege Escalation—Then Undo It with Cayosoft Guardian

Real-time alerts across AD & Entra ID with one-click rollback.

See it in action

How to Detect (Cayosoft Guardian)

1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.

2.) Open All Alerts and search for CTD-000165 or AD domain allowing multicast name resolution (LLMNR).

3.) Open any alert and Click for details (from Raise Threat Alert action).

4.) Review alert context (What/Type/Where/When/Who/Severity/Threat definition) to confirm LLMNR is permitted in the domain.

Evidence: No explicit evidence fields defined for this template.

Remediation Steps

Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:
  1. ) Open Group Policy Management.
  2. ) In the console tree, expand Forest > Domains.
  3. ) Expand your domain.
  4. ) Right-click the Default Domain Policy shortcut.
  5. ) Select Edit to open the Group Policy Management Editor window.
  6. ) Select Computer Configuration > Policies > Administrative Templates > Network > DNS Client.
  7. ) Set Turn off Multicast Name Resolution to Enabled.
  8. ) Apply the policy across all domain-connected devices.
  1. ) Disable NetBIOS over TCP/IP on all network adapters:
    1. ) Open Network and Sharing Center > Change Adapter Settings.
    2. ) Right-click the adapter and click Properties.
    3. ) Select Internet Protocol Version 4 (TCP/IPv4).
    4. ) Click Properties.
    5. ) Click Advanced.
    6. ) Click the WINS tab.
    7. ) In the NETBIOS setting section, click Disable NETBIOS over TCP/IP.

How to Prevent It

Cayosoft Guardian can proactively detect and alert on AD domain allowing multicast name resolution (LLMNR). It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.

FAQ

LLMNR allows systems to multicast name queries, which attackers can spoof. By responding to these queries with malicious answers, attackers can capture NTLM credentials, perform offline cracking, and reuse compromised accounts for lateral movement.

The most common is a Responder attack, where an attacker tricks clients into sending authentication attempts to their rogue machine. This can expose NTLM challenge/response pairs and lead to credential theft and unauthorized access.

In modern Active Directory environments with DNS, disabling LLMNR typically causes no issues. However, some legacy applications or older systems that relied on LLMNR or NetBIOS may break until they are updated to use DNS.

Final Thought

Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like AD domain controller deployed as a VM without drive encryption, you reduce attack surfaces and strengthen your organization’s overall security posture.

Tagged