Last Updated: 2019-06-16 20:46:33 UTC
by Didier Stevens (Version: 1)
Sysmon Version 10.0 brings DNS query logging.
By default, DNS query logging is not enabled. You need to provide a configuration file, like this simple config.xml:
This config file will log all DNS queries: using onmatch="exclude" without any filters excludes no events at all.
Remark also that the event is DnsQuery (and not DNSQuery as listed on Sysinternals page for Sysmon).
Here is a simple "ping google.com" command, resulting in event 22 being logged in the Sysmon Windows event log:
Remark that event 22 does not only log the DNS query, but also the replies and the program that issued the query.
If you enable DNS logging like I did (not exclusions) ina production environment, you will have too many events. SwiftOnSecurity's Sysmon config can help you exclude many queries that are not important for IR.
Sysmon DNS logging did not work on my Windows 7 VM, but I just noticed that Sysmon version 10.1 was released, I will test this again.
If you have more information or corrections regarding our diary, please share.