Has anyone else seen Sysmon performing reverse DNS lookups? RRS feed

  • Question

  • I recently installed Sysmon version 10.1 to take a look at the DNS Query capture feature. The funny thing is I saw Sysmon as the source image of multiple reverse DNS lookups for external IP addresses. A quick lookup for the IPs show that some of them are in Chine and the Ukraine. Has anyone else seen this kind of behavior?

    Example IPs

    EDIT: After finding the actual source of the connection, I believe Sysmon is performing reverse DNS lookups for traffic that it observes rather than initiating the connections themselves. I found another executable making the connections and Sysmon was also looking up domains for IPs I visited directly through the command line.

    • Edited by joeldavideng Saturday, June 29, 2019 1:12 PM The root cause of the problem turned out to be my interpretation of the data Sysmon was presenting so I want to change this to a less inflamatory title.
    Sunday, June 23, 2019 5:56 PM

All replies

  • Can you post a couple of the Event ID 22 referring to those sites??

    May be something is injected in Sysmon.exe..


    Monday, June 24, 2019 1:25 PM
  • Yes could you let us see some of these events. If you don't want to post them here feel free to contact me offline at and we can take a look for you.

    MarkC (MSFT)

    Wednesday, June 26, 2019 8:22 AM
  • Mark,

    Thanks for the offer, but I already found the executable that was attempting to make the connections. That being said, Sysmon was performing reverse DNS look ups for the IPs after the other executable made the initial request. I suspect it was resolving the IPs to present the domain name.


    Saturday, June 29, 2019 1:06 PM
  • Thank goodness it wasn't that. I believe Sysmon was performing reverse DNS look ups for IPs another executable was attempting to connect to directly. 
    Saturday, June 29, 2019 1:07 PM