Detecting Responder via LLMNR Honey Tasks on User Workstations

00:00 - Intro
00:15 - Talking about how the attack works and why NetBIOS/LLMNR should be disabled
01:30 - Running Responder on a linux host and then attempting to browse a file share on a Windows Host and grabbing the Hash
02:45 - Cracking the hashes our computer provided to show how easy it is to steal passwords on a network
04:30 - Showing how we can perform an LLMNR request in PowerShell
06:15 - Combining the Powershell LLMNR Request with our Slack WebMessage hook to send notifications to slack
07:50 - Testing the powershell code out and seeing it send a message to Slack
09:00 - Creating Scheduled Task to run this powershell code every 5 minutes
11:00 - Converting the powershell to powershell friendly (UTF-16LE) Base64
12:30 - Changing our scheduled task to write to EventLogs instead of Slack, which is better networks that have Centralized Logging
18:15 - Showing the schedueld task runs every 5 minutes.

Support the originator by clicking the read the rest link below.