Sysmon Event ID 22

SourceSysmon

22: DNSEvent

This is an event from Sysmon.

On this page

Malware uses DNS in the traditional way to locate components of the attacker infrastructure such as command and control servers.  Attackers can also leverage the DNS protocol for communication between components such as by embedding check-in data in the query and commands to carry out in the query response.  

This event allows you to monitor the query and results sent back by the DNS server as well as the process that generated the query.  Of course this event will produce many legitmate records.  

One might consider capturing the same information at the network gateway or local DNS server which forwards unresolved DNS queries the Internet.  However attackers may bypass the local DNS server or use encrypted DNS.  It's possible Sysmon would provide visibility into both situations.

Free Security Log Resources by Randy

Description Fields in 22

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • RuleName
  • UtcTime
  • ProcessGuid
  • ProcessId
  • QueryName
  • QueryStatus
  • QueryResults
  • Image

Supercharger Free Edition

 

Examples of 22

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/15/2021 1:07:01 PM
Event ID:       22
Task Category: Dns query (rule: DnsQuery)
Level:          Information
Keywords:      
User:           SYSTEM
Computer:       w19-ex-111.Win2019.local
Description: Dns query:
RuleName: -
UtcTime: 2021-04-15 20:06:58.876
ProcessGuid: {ff9115ad-7aff-6078-4000-000000002c00}
ProcessId: 3292
QueryName: w19-sc-114.win2019.local
QueryStatus: 0
QueryResults: ::ffff:10.42.1.114;
Image: C:\Program Files\Supercharger Controller\Mtg.Supercharger.ControllerService.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>22</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>22</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2021-04-15T20:07:01.007242000Z" />
    <EventRecordID>8954</EventRecordID>
    <Correlation />
    <Execution ProcessID="3500" ThreadID="1904" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>w19-ex-111.Win2019.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2021-04-15 20:06:58.876</Data>
    <Data Name="ProcessGuid">{ff9115ad-7aff-6078-4000-000000002c00}</Data>
    <Data Name="ProcessId">3292</Data>
    <Data Name="QueryName"> w19-ex-111.win2019.local</Data>
    <Data Name="QueryStatus">0</Data>
    <Data Name="QueryResults">::ffff:10.42.1.114;</Data>
    <Data Name="Image">C:\Program Files\Supercharger Controller\Mtg.Supercharger.ControllerService.exe</Data>
  </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources