Skip to content

What process made the DNS query?

ID: Q1018

Approaches to Answer

Approaches

Note

There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.

🗂️ Explanation

Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged. Content Filter needs to be enabled to capture DNS request queries.

References

  • https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent

Not Covered

  • Hosts with the Falcon agent, but where the Content Filter is not enabled

💾 Data

The following data source(s) are needed for this approach to the question.

  • CrowdStrike: DnsRequest

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Crowdstrike Investigate (Ui).

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Crowdstrike Investigate (Ui)'s output into one of these analysis platforms, use the following steps to refine the data to answer the question.

Manual

  1. UI steps in Investigate Bulk domains
  2. Type: GUI
  3. Value: In the second table, Process that looked up specified Domain(s) the columns PID, Process ID, and File Name give the source process information for the DNS query.

🗂️ Explanation

Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged. Content Filter needs to be enabled to capture DNS request queries.

References

  • https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent

Not Covered

  • Hosts with the Falcon agent, but where the Content Filter is not enabled

💾 Data

The following data source(s) are needed for this approach to the question.

  • CrowdStrike: DnsRequest

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Splunk.

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Splunk's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

Splunk-Query

  1. Query joining DNS Request events and executions gives the source for each DNS query
  2. Type: splunk-query
  3. Value: ComputerName="{hostname}" event_simpleName=ProcessRollup* | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search ComputerName="{hostname}" event_simpleName=DnsRequest | fields ContextProcessId_decimal, DomainName] | table _time, DomainName, ImageFileName

🗂️ Explanation

DNS Query, event ID 22, records a DNS query being issued by a specific host and the originating process.

References

  • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90022

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Windows

Not Covered

  • Windows hosts without Sysmon installed

💾 Data

The following data source(s) are needed for this approach to the question.

Type
ForensicArtifact
Value
WindowsXMLEventLogSysmon (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Splunk.

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Splunk's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

Splunk-Query

  1. Query for Sysmon Event ID 22 and extracting the parent process ID and path.
  2. Type: splunk-query
  3. Value: source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=22 | table _time, host, process_id, process_path

More information on Plaso.

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Query for Sysmon Event ID 22 events

  2. OpenSearch query:

    data_type:"windows:evtx:record" source_name:"Microsoft-Windows-Sysmon" event_identifier:22

  3. Determine the source process in relevant event(s)

  4. Type: manual
  5. Value: Plaso (as of v20230717) doesn't parse the xml_string into attributes. Examine the xml_string; the value after <Data Name="Image"> is the process that made the DNS query.

Python Notebook

  1. Query for Sysmon Event ID 22 events

  2. Python code:

    df.df.query('data_type == "windows:evtx:record" and source_name == "Microsoft-Windows-Sysmon" and event_identifier == 22')

  3. Extract Image attribute

  4. Python code:

    df.df['process'] = df['xml_string'].str.extract(r'<Data Name="Image">(.*?)</Data>')

  5. Extract QueryName attribute

  6. Python code:

    df.df['query'] = df['xml_string'].str.extract(r'<Data Name="QueryName">(.*?)</Data>')

  7. Filter down to DNS query of interest

  8. Python code:

    df.df[df.query.str.contains('<domain>')]