What are those DNS query's which Sysmon does not get from Windows

Question

please tell me about those DNS query's which Sysmon does not get from Windows

Answer 1

Hi ,

Once Sysmon is started, it will begin logging all DNS Query events to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational in the Event Viewer. This is done via event ID 22. This event generates when a process executes a DNS query, whether the result is successful or fails, cached or not.

Here is a simple "ping google.com" command, resulting in event 22 being logged in the Sysmon Windows event log:

For more details about Sysmon, you can refer to the following link:

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Best Regards,

Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi ,

It can monitor the DNS queries executed by practically any Windows client software that is network-enabled, for instance web browsers, FileZilla, WinSCP, ping, tracert, etc. However, it should be noted that direct DNS lookups using nslookup are not logged by Sysmon’s DNS Query logging.

Best Regards,

Candy

Answer 3

Candyluo-MSET

Hi,

Thanks for input. But my Sysmon does not register DNS queries fired using nslookup in command prompt. can some
else also confirm?

Answer 4

Thanks a lot for prompt response. It was helpful. There is another situation we faced. A malicious code was querying a
hard-coded DNS server instead of system DNS even that was not registering with system. We could see the queries
at the network level (Packetbeat logs). Can you please throw some light on it?