none
SysMon DNS Queries Occur from ipconfig RRS feed

  • Question

  • Hello,

    We are seeing that some processes are logging DNS queries when we believe they should not be.

    We have validated the logs exist with on the endpoint and we are bringing them into our SIEM.

    Here are some examples (Note we manipulate the field names):
    (Couldn't post a picture, I could use some help getting my account verified to make this much easier)

    winlog.task process.name dns.question.name dns.resolved_ip

    Dns query (rule: DnsQuery) ipconfig.exe img.macromill.com
    Dns query (rule: DnsQuery) ipconfig.exe inv-nets.admixer.net 204.62.13.72
    Dns query (rule: DnsQuery) ipconfig.exe www.facebook.com
    Dns query (rule: DnsQuery) ipconfig.exe fm.flashtalking.com
    Dns query (rule: DnsQuery) ipconfig.exe pool.admedo.com
    Dns query (rule: DnsQuery) ipconfig.exe gameplay.intel.com
    Dns query (rule: DnsQuery) ipconfig.exe officehomeblobs.blob.core.windows.net

    We have seen other processes that we are trying to understand why they are making DNS Queries but this was the more obvious process that had us wondering what might be going on.

    From the same endpoint in the same 15 minute time window we see activity that is expected:

    winlog.task process.name dns.question.name dns.resolved_ip

    Dns query (rule: DnsQuery) Teams.exe statics.teams.cdn.office.net 24.52.24.203, 24.52.24.216
    Dns query (rule: DnsQuery) Teams.exe gov.teams.microsoft.us 52.127.88.56
    Dns query (rule: DnsQuery) OUTLOOK.EXE outlook.office.com 52.96.79.146, 52.96.79.130, 52.96.73.50, 52.96.79.178

    Is this a known bug or issue? Wanted to report and get feedback on how we can address this.

    Thank you!

    Nic

    Wednesday, June 17, 2020 5:24 PM

Answers

  • Hi Nic

    For Sysmon 11.10 we have resolved an issue where events generated by ETW (NetworkConnect and DNS) were sometimes attributed to the wrong process. The issue is that these network events are fed into the pipeline on a different thread and sometimes when the main driver thread is running slightly behind because of a busy system the network event will be processed before the process create. The result was that the stale process information in the cache was not being updated and the network event is attributed to the wrong process.

    Sysmon 11.10 is due to be published imminently but if you would like a copy ahead of the publication ping me offline at syssite@microsoft.com and I can make it available to you

    MarkC(MSFT)

    • Marked as answer by nicpenning Friday, June 19, 2020 12:51 PM
    Friday, June 19, 2020 8:04 AM

All replies

  • Hi Nic

    For Sysmon 11.10 we have resolved an issue where events generated by ETW (NetworkConnect and DNS) were sometimes attributed to the wrong process. The issue is that these network events are fed into the pipeline on a different thread and sometimes when the main driver thread is running slightly behind because of a busy system the network event will be processed before the process create. The result was that the stale process information in the cache was not being updated and the network event is attributed to the wrong process.

    Sysmon 11.10 is due to be published imminently but if you would like a copy ahead of the publication ping me offline at syssite@microsoft.com and I can make it available to you

    MarkC(MSFT)

    • Marked as answer by nicpenning Friday, June 19, 2020 12:51 PM
    Friday, June 19, 2020 8:04 AM
  • That is great to hear! We can wait, as we still need to test the latest features of 11 any ways :) 

    Thank you for this feedback!

    Friday, June 19, 2020 12:51 PM
  • Hi Nic

    Sysmon 11.10 was published today. Please let me know if you still experience difficulties with this

    MarkC(MSFT)

    Wednesday, June 24, 2020 9:29 AM