Sysmon Event ID 22
22: DNSEvent
This is an event from
Sysmon.
On this page
Malware uses DNS in the traditional way to locate components of the attacker infrastructure such as command and control servers. Attackers can also leverage the DNS protocol for communication between components such as by embedding check-in data in the query and commands to carry out in the query response.
This event allows you to monitor the query and results sent back by the DNS server as well as the process that generated the query. Of course this event will produce many legitmate records.
One might consider capturing the same information at the network gateway or local DNS server which forwards unresolved DNS queries the Internet. However attackers may bypass the local DNS server or use encrypted DNS. It's possible Sysmon would provide visibility into both situations.
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- RuleName
- UtcTime
- ProcessGuid
- ProcessId
- QueryName
- QueryStatus
- QueryResults
- Image
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/15/2021 1:07:01 PM
Event ID: 22
Task Category: Dns query (rule: DnsQuery)
Level: Information
Keywords:
User: SYSTEM
Computer: w19-ex-111.Win2019.local
Description: Dns query:
RuleName: -
UtcTime: 2021-04-15 20:06:58.876
ProcessGuid: {ff9115ad-7aff-6078-4000-000000002c00}
ProcessId: 3292
QueryName: w19-sc-114.win2019.local
QueryStatus: 0
QueryResults: ::ffff:10.42.1.114;
Image: C:\Program Files\Supercharger Controller\Mtg.Supercharger.ControllerService.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>22</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>22</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-04-15T20:07:01.007242000Z" />
<EventRecordID>8954</EventRecordID>
<Correlation />
<Execution ProcessID="3500" ThreadID="1904" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>w19-ex-111.Win2019.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2021-04-15 20:06:58.876</Data>
<Data Name="ProcessGuid">{ff9115ad-7aff-6078-4000-000000002c00}</Data>
<Data Name="ProcessId">3292</Data>
<Data Name="QueryName"> w19-ex-111.win2019.local</Data>
<Data Name="QueryStatus">0</Data>
<Data Name="QueryResults">::ffff:10.42.1.114;</Data>
<Data Name="Image">C:\Program Files\Supercharger Controller\Mtg.Supercharger.ControllerService.exe</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection