Digging for Gold: Examining DNS Logs on Windows Clients

dc.contributor.authorDraeger, Amanda
dc.date.accessioned2023-12-05T20:47:21Z
dc.date.available2023-12-05T20:47:21Z
dc.date.issued2019
dc.description.abstractInvestigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly.
dc.description.sponsorshipArmy Cyber Institute
dc.identifier.citationDraeger, Amanda. "Digging for Gold: Examining DNS Logs on Windows Clients". SANS, 2019.
dc.identifier.urihttps://sansorg.egnyte.com/dl/8AvFYOPL0f
dc.identifier.urihttps://hdl.handle.net/20.500.14216/1339
dc.publisherSANS
dc.subjectDNS Logs
dc.titleDigging for Gold: Examining DNS Logs on Windows Clients
dc.typeWhite papers
local.peerReviewedNo

Files