"Digging for Gold: Examining DNS Logs on Windows Clients" by Amanda Draeger

ACI Journal Articles

Title

Digging for Gold: Examining DNS Logs on Windows Clients

Authors

Amanda Draeger, Army Cyber Institute, U.S. Military AcademyFollow

Document Type

Article

USMA Research Unit Affiliation

Army Cyber Institute

Publication Date

5-22-2019

Abstract

Investigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly.

Web Link

https://www.sans.org/white-papers/38975/

External Link

Record links to items hosted by external providers may require fee for full-text.

COinS

ACI Journal Articles

Title

Authors

Document Type

USMA Research Unit Affiliation

Publication Date

Abstract

Web Link

Browse

Search

Submit Your Work

Links

Links

ACI Journal Articles

Title

Authors

Document Type

USMA Research Unit Affiliation

Publication Date

Abstract

Web Link

Share

Browse

Search

Submit Your Work

Links

Links