locked
A malicious code was querying a hard-coded DNS server instead of sysmon DNS even that was not registering with sysmon. We could see the queries at the network level (Packetbeat logs). Can you please throw some light on it? RRS feed

  • Question

  • A malicious code was querying a hard-coded DNS server instead of sysmon DNS even that was not registering with sysmon. We could see the queries at the network level (Packetbeat logs). Can you please throw some light on it?
    • Moved by Dave PatrickMVP Thursday, December 17, 2020 1:37 PM looking for forum
    Thursday, December 17, 2020 6:29 AM

Answers

All replies

  • forum migrated to mentioned below link

    https://docs.microsoft.com/en-us/answers/index.html

    if issue resolve please mark as answer

    • Marked as answer by Nazakat Ali Thursday, December 17, 2020 7:32 AM
    • Unmarked as answer by Nazakat Ali Thursday, December 17, 2020 7:32 AM
    Thursday, December 17, 2020 6:42 AM
  • I'd try asking for help over here.

    windows-dhcp-dns - Microsoft Q&A

    windows-sysinternals-sysmon - Microsoft Q&A

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, December 17, 2020 1:37 PM
  • Can you reproduce the problem?

    What version of sysmon was running at the time of the transaction?

    Have you thoroughly reviewed your sysmon configs to ensure you did not have rules in place which would have excluded or not included collection?

    Was the malicious code compiled or an interpreted script? Do you have a hash of the malicious code file?  It is known to virus total and available for download?

    Friday, December 18, 2020 7:15 AM