Ask Your Question

llmnr malicious domain

asked 2018-07-21 01:49:49 +0000

kiowa gravatar image

I've captured a compromised system. I filter llmnr and found a collection of suspicious results. Some of the requests are sent to domains with mixed characters. Such as "kdonszushlwi" or as "ytdfgejjknsc". What are these?

edit retag flag offensive close merge delete


Can you share a trace file?

Eddi gravatar imageEddi ( 2018-07-21 21:07:09 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-07-22 01:16:15 +0000

Jim Aragon gravatar image

Are you using Google Chrome as your browser? If so, then it's not malicious, it's Chrome trying to detect if your ISP is using wildcard DNS to catch all domains, even ones that don't exist.

See this page for an explanation. It uses DNS in all the images, but Chrome does the same thing with LLMNR.

edit flag offensive delete link more


that is what i'm seeing. however, in squert there is a hit for a p2p thunder.xunelei.i'm looking for traffic that can show it is reaching out.

kiowa gravatar imagekiowa ( 2018-07-22 02:27:10 +0000 )edit

I resolved the issue. It was a false-positive. Investigating futher I found the users were on thin-clients. The NIC cards were from InveTec. Its a Chinese company. The LLMNR broadcasts are normal in this case. The Snort alert must have correlated the Xuneli software and the foreign NIC card.

kiowa gravatar imagekiowa ( 2018-07-23 15:23:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-07-21 01:49:49 +0000

Seen: 569 times

Last updated: Jul 23 '18