Sysinternals Sysmon now with DNS Query logging

Sysinternals - Sysmon with DNS logging

The new event ID for DNS queries is 22. As soon as a process executes a DNS query, it is written to the LOG as an event, regardless of whether the result is positive or negative.

Download Sysmon

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Download all tools

https://live.sysinternals.com/

Get-WinEvent -FilterHashtable @ {logname = "Microsoft-Windows-Sysmon / Operational"; id = 3;} | Where {$ _. Message -like "* 172.18.32.10 *" -and $ _. Message -like "* DestinationPort: 80 *"} | Select-Object -Property message -First 1 | Format-List

Get-WinEvent -FilterHashtable @ {logname = "Microsoft-Windows-Sysmon / Operational"; id = 3;} | Where {$ _. Message -like "* 172.18.32.10 *" -and $ _. Message -like "* DestinationPort: 443 *"} | Select-Object -Property message -First 1 | Format-List

Get-WinEvent -FilterHashtable @ {logname = "Microsoft-Windows-Sysmon / Operational"; id = 22;} | Format-List

Sysmon tools

The Sysmon Shell is a tool for creating configuration templates and much more.

Sysmon shell create templates

Sysmon View, an offline tool for graphical evaluation of events. It helps track and visualize sysmon logs by logically grouping and correlating various sysmon events.

Sysmon View graphical evaluation

Download sysmon tools