rvlsoft - Fotolia

Using the Sysinternals Sysmon tool to check DNS queries

A recent update to the Sysinternals Sysmon utility adds DNS query logging to give deeper insights into the connections made by your Windows machines.

If you're an IT professional with experience troubleshooting the Windows OS, then you may have used a tool from the Sysinternals suite.

The Sysinternals utilities have been around since 1996 and have been one of the most popular tools to handle various tasks in Windows, from remote execution (PSExec) to looking at software that starts automatically (Autoruns). Of the many tools in the Sysinternals suite, Sysmon is one of the best at providing great insight into what is happening in several areas on Windows. With the addition of the DNS query logging feature, I consider Sysmon an essential tool for administrators to monitor process creations and network connections.

Deploying Sysmon to clients

Chocolatey is the de facto package manager on Windows, due to its immense repository of Windows software and its integration with PowerShell and configuration management applications. Chocolatey has Sysmon and the rest of the Sysinternals suite on its public repository.

Chocolatey doesn't install Sysmon on a machine; it just unzips the files needed to install the Sysmon service. With some modification to the Chocolatey installation script, we can change that.

C:\Chocotemp\> cat .\chocolateyInstall.ps1

$packageName = 'sysmon'

$url = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)\files\Sysmon.zip"

$checksum = 'ed271b81eee546f492f25b10cdf99ffcff5670fa502fdf21151c18157b826f39'

$checksumType = 'sha256'

$url64 = "$url"

$checksum64 = "$checksum"

$checksumType64 = "checksumType"

$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"

 

Install-ChocolateyZipPackage -PackageName "$packageName" `

                             -Url "$url" `

                             -UnzipLocation "$toolsDir" `

                             -Url64bit "$url64" `

                             -Checksum "$checksum" `

                             -ChecksumType "$checksumType" `

                             -Checksum64 "$checksum64" `

                             -ChecksumType64 "$checksumType64"

 

& ($toolsDir + '\Sysmon64.exe') /accepteula /i /h * /n

The last line of the script calls for the execution of sysmon64.exe with the arguments /accepteula /i /h * /n, which accepts the end-user license agreement, installs the Sysmon service on the local system, uses all hash algorithms and sets up logging of network connections.

When I run the command choco install sysmon –y, it installs the Sysmon service when I install the package.

Sysmon setup
Set up Chocolatey to fetch Sysmon and install the service.

Use configuration files to get what you want

With the addition of the DNS query logging feature, I consider Sysmon an essential tool for administrators to monitor process creations and network connections.

Once you get familiar with using Sysmon, you will want to use it with configuration files, which help filter events that Sysmon logs to weed out unnecessary information.

The IT professional who uses the handle @SwiftOnSecurity on Twitter maintains one of the more popular customized Sysmon configuration files at this repository on GitHub. It contains a lot of valuable inclusions and exclusions for those times when you need a cleaner Sysmon log. For instance, there is a section for monitoring file creation processes that includes important file extensions, such as .ps1, .bat and .vbs.

Displaying the Sysmon event log

One of the great features of Sysmon is that it puts logs in a familiar location: Windows Event Viewer. The exact location is under Applications and Services > Microsoft > Windows > Sysmon. Here, we can search and filter just like any other Windows event log. For instance, to search for a specific IP address for a network connection, users can right-click on the Sysmon log, and choose Find. This opens a dialog to search keywords -- in this case, an IP address.

Logging DNS queries in Sysmon

A recent release of Sysmon added a new feature: logging DNS queries. To test it, after browsing to Google in Chrome, I see it is logged in Sysmon as the following:

Dns query:
RuleName:
UtcTime: 2019-06-13 19:38:50.327
ProcessGuid: {17847a67-4157-5d02-0000-001048c02000}
ProcessId: 11328
QueryName: www.google.com
QueryStatus: 0
QueryResults: 172.217.10.68;
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

This brings in the ability to track if a system attempts to contact malicious sites, which can be helpful when detecting malware.

Search the Sysmon event log with PowerShell

The Get-WinEvent cmdlet is one of the most useful troubleshooting cmdlets in PowerShell for its ability to run a search in the Windows event log. Because Sysmon gets logged to the Windows event log, we can search it with PowerShell.

In the command below, we run Get-WinEvent on a remote computer (WIN10-CBB) and use -FilterHashTable to look in the Sysmon log for DNS queries only. I then pipe that output to Select-Object so that I only retrieve the message in the event. (The Event ID 22 occurs when a process runs a DNS query.)

Get-WinEvent -ComputerName win10-cbb -FilterHashTable @{logname="Microsoft-Windows-Sysmon/Operational";ProviderName="Microsoft=Windows-Sysmon";ID=22"} | Select-Object -ExpandProperty Message
Search the Sysmon event log
Use the Get-WinEvent cmdlet to search the Sysmon event log with PowerShell.

The result is that I print all of the DNS queries for this machine.

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close