A malicious code was querying a hard-coded DNS server instead of system DNS even that was not registering with system

Nazakat Ali 61 Reputation points
2020-12-17T07:40:17.39+00:00

A malicious code was querying a
hard-coded DNS server instead of system DNS even that was not registering with system. We could see the queries
at the network level (Packetbeat logs). Can you please throw some light on it?

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,266 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions
0 comments No comments
{count} votes

Accepted answer
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-12-17T09:02:35.12+00:00

    Hi ,

    Please understand, Packetbeat is a third-party tool which we are not familiar with it. You can use Wireshark or network monitor to collect network traces and get more details about the source of those queries.

    You can download network monitor via following link:

    https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    For how to collect data using Network Monitor, you can refer to the following artilce:

    https://learn.microsoft.com/en-us/windows/client-management/troubleshoot-tcpip-netmon

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Nazakat Ali 61 Reputation points
    2020-12-17T09:37:14.273+00:00

    It is also visible in Wireshark .It is being captured by wireshark but not by sysmon

    49141-whatsapp-image-2020-12-17-at-30214-pm.jpeg

    0 comments No comments

  2. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-12-18T02:34:28.063+00:00

    Hi ,

    Good morning! I have truly understand your question. In fact, this is related with sysmon's working mechanism. Network monitor and Wireshark are using an NDIS (Network Driver Interface Specification) filter driver, so they can filter traffic.

    Based on my understanding, sysmon is monitoring windows related service. ping and tracert will call Dnscahe service, while Nslookup doesn't use the client's DNS cache. So DNS query for instance web browsers, FileZilla, WinSCP, ping, tracert, etc can be monitored. DNS lookups using nslookup cannot be monitored by sysmon because it is not calling Dnscahe service.

    About malicious code DNS querying you posted, it probably didn't call windows related service, so it cannot be monitored by sysmon.

    In short, we always using Network monitor and Wireshark to monitor network related traffic.

    Hope this can hep you.

    Note: since this is a public forum, everyone could view your information, please remove private information that might leak your privacy.

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments