Digging for Gold: Examining DNS Logs on Windows Clients
dc.contributor.author | Draeger, Amanda | |
dc.date.accessioned | 2023-12-05T20:47:21Z | |
dc.date.available | 2023-12-05T20:47:21Z | |
dc.date.issued | 2019 | |
dc.description.abstract | Investigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly. | |
dc.description.sponsorship | Army Cyber Institute | |
dc.identifier.citation | Draeger, Amanda. "Digging for Gold: Examining DNS Logs on Windows Clients". SANS, 2019. | |
dc.identifier.uri | https://sansorg.egnyte.com/dl/8AvFYOPL0f | |
dc.identifier.uri | https://hdl.handle.net/20.500.14216/1339 | |
dc.publisher | SANS | |
dc.subject | DNS Logs | |
dc.title | Digging for Gold: Examining DNS Logs on Windows Clients | |
dc.type | White papers | |
local.peerReviewed | No |