๐ Secure Bits ๐ก
Ever needed to find outย ๐๐ต๐ถ๐ฐ๐ต ๐ฝ๐ฟ๐ผ๐ฐ๐ฒ๐๐ is behind a ๐๐๐๐ฝ๐ถ๐ฐ๐ถ๐ผ๐๐ ๐๐ก๐ฆ ๐พ๐๐ฒ๐ฟ๐?
I recently worked with a customer who noticed ๐๐ฒ๐ถ๐ฟ๐ฑ ๐๐ก๐ฆ ๐ฟ๐ฒ๐พ๐๐ฒ๐๐๐ to Uzbekistan addresses.
๐ I enabled all possible DNS logs, but none provided the process name behind the queries.
๐ก Thatโs where Sysmon saved the day.
Sysmon is a powerful auditing tool that lets you apply filters to reduce unnecessary logs โ saving storage space and licensing costs.
โ
๐ง๐ต๐ฒ ๐ธ๐ฒ๐? ๐๐๐ฒ๐ป๐ ๐๐ ๐ฎ๐ฎ
With Sysmon Event ID 22, you can log DNS queries while capturing the exact process responsibleโand thatโs how I found the source of the suspicious traffic. There are of course other ways to solve this, but in my case this was the quick one !
๐๐ผ ๐๐ผ๐ ๐๐๐ฒ ๐ฆ๐๐๐บ๐ผ๐ป ๐ถ๐ป ๐๐ผ๐๐ฟ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐?
