@clong Recently ran across your detect-responder ext (https://github.com/clong/detect-responder). Outside of this extension, have you/anyone else found any other way to pickup LLMNR-poisoning artifacts with osquery?

Not really. There’s a handful of python and powershell scripts that do this, but im not really aware of how to do this across an enterprise and cover many different networks/subnets at once