First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

llmnr malicious domain

I've captured a compromised system. I filter llmnr and found a collection of suspicious results. Some of the requests are sent to domains with mixed characters. Such as "kdonszushlwi" or as "ytdfgejjknsc". What are these?

kiowa's avatar
3
kiowa
asked 2018-07-21 01:49:49 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you share a trace file?

Eddi's avatar Eddi (2018-07-21 21:07:09 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Are you using Google Chrome as your browser? If so, then it's not malicious, it's Chrome trying to detect if your ISP is using wildcard DNS to catch all domains, even ones that don't exist.

See this page for an explanation. It uses DNS in all the images, but Chrome does the same thing with LLMNR.

Jim Aragon's avatar
7.5k
Jim Aragon
answered 2018-07-22 01:16:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

that is what i'm seeing. however, in squert there is a hit for a p2p thunder.xunelei.i'm looking for traffic that can show it is reaching out.

kiowa's avatar kiowa (2018-07-22 02:27:10 +0000) edit
more
  • delete

I resolved the issue. It was a false-positive. Investigating futher I found the users were on thin-clients. The NIC cards were from InveTec. Its a Chinese company. The LLMNR broadcasts are normal in this case. The Snort alert must have correlated the Xuneli software and the foreign NIC card.

kiowa's avatar kiowa (2018-07-23 15:23:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer