@clong Recently ran across your detect-responder ext (https://github.com/clong/detect-responder). Outside of this extension, have you/anyone else found any other way to pickup LLMNR-poisoning artifacts with osquery?
08/23/2018, 9:24 PM
Not really. There’s a handful of python and powershell scripts that do this, but im not really aware of how to do this across an enterprise and cover many different networks/subnets at once
i’d really like to rewrite that extension in go so the dependencies are included, but alas, then i’d have to relearn the tiny bit of go that i once knew