Blog

On June 19th Mark Russinovich tweeted that the release of Sysmon version 10 will include DNS query logging. Packetbeat is currently being utilized for capturing DNS queries but with the addition of DNS queries in Sysmon this may change.

I have started upgrading sysmon in our environment. I am using the base of SwiftOnSecurity’s AlphaVersion for the new configuration file with some changes to fit better in our environment. The Github repository is located here https://github.com/SwiftOnSecurity/sysmon-config. Adding <DnsQuery onmatch=”exclude”/> to your existing configuration file should be enough but highly recommend against this method as it will be extremely noisy.

Currently the logs get shipp

Majority of malware uses a command and control center to retrieve updates, commands to run and more. There are a few methods that malware can use to obtain the location on where the command and control center can be located.

Using an IP address would limit the command and control center to one location, while a DNS record would allow a system to move around as needed.

Logging the DNS queries will allow you to obtain a baseline of your environment and will allow you to query the domain names against lists of known bad domains.

This document will just go over the very basics of getting the DNS questions into GrayLog.

We will be using Packetbeat to log the queries and will be shipping the information to GrayLog via a LogBeat connector.

In the configuration for Packetbeat you need to specify what interface that will be used for monitoring. Finding the interface you want can be found by Packetbeat devices

Specify what protocols you want to monitor and th