Sysmon update introduces DNS Query Logging
A new version of the Sysmon tool will be released on Tuesday 11, 2019 that introduces DNS query logging to the Windows system monitor.
Mark Russinovich, the creator of the tool and Microsoft Azure CTO, teased the new feature in a message on Twitter on June 8, 2019.
The system monitor Sysmon extends the functionality of the Windows Event log by monitoring the system for certain events and writing them to the event log.
Tip: check out our review of Sysmon 5 to get a better understanding of the free application.
Sysmon: dns query logging
The next Sysmon release introduces support for DNS query logging. Russinovich published a screenshot on Twitter that showcases the new feature. The screenshot shows logged DNS queries and information about one of the logged queries.
Particularly interesting is the linking of the query to a specific executable on the system and that DNS query responses are logged as well. The value of "Image" reveals the program the query initiated from.
The Windows Event Log supports the logging of DNS queries but it needs to be enabled first before Windows starts logging these events, and does not highlight the executable file that initiated the query.
Here is how you enable DNS logging on Windows:
- Use Windows-R to open the run box on the system.
- Type eventvwr.msc and tap on the Enter-key to load the Event Viewer.
- Navigate the following path: Applications and Service Logs > Microsoft > Windows > DNS Client Events > Operational
- Right-click on Operational, and select Enable Log.
The new Sysmon feature improves DNS query logging on Windows. Especially the logging of executable filenames and paths should be welcome as it makes it easier to identify the programs a DNS query originated from.
Regularly going through the DNS query log could highlight programs that leak information potentially or are dangerous. The feature may also be useful when it comes to the logging of software installations or updates to verify what is happening in the background.
The new version of Sysmon will be published on Microsoft's Sysinternals website.
Now You: do you analyze DNS queries? (via Bleeping Computer)
Martin, Please change Mike to Mark.
I hope the newest version continues to use “Event timestamps are in UTC standard time.”