Digging for Gold: Examining DNS Logs on Windows Clients
No Thumbnail Available
Authors
Draeger, Amanda
Issue Date
2019
Type
White papers
Language
Keywords
DNS Logs
Alternative Title
Abstract
Investigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly.
Description
Citation
Draeger, Amanda. "Digging for Gold: Examining DNS Logs on Windows Clients". SANS, 2019.
Publisher
SANS