Skip to content

[Osquery_manager] DNS artifact saved queries #17007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomsonpl wants to merge 2 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] DNS artifact saved queries #17007

tomsonpl wants to merge 2 commits into from
+133 −7

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Jan 20, 2026

DNS Artifact

The Windows DNS artifact provides comprehensive visibility into DNS resolution activity for threat hunting, C2 detection, and incident response. This artifact includes two complementary queries: a DNS cache snapshot for quick domain enumeration, and a detailed event log query with full process context when DNS Client logging is enabled.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 DNS Cache Windows dns_cache_snapshot_windows_elastic ae619588 Enumerates cached DNS queries
2 DNS Event Log Windows dns_event_log_windows_elastic 66ee8c5f DNS queries with process context

Queries by Platform

🪟 Windows - DNS Cache Snapshot

Description

Enumerates the Windows DNS resolver cache to identify recently queried domains. Useful for threat hunting suspicious domain lookups, C2 beacon detection, and incident response. Cache entries expire based on TTL (max 24 hours by default). Filters out reverse lookups and local service noise.

Detection Focus:

  • Suspicious domain lookups (DGA, typosquatting, known malicious domains)
  • C2 beacon detection through unusual domain patterns
  • Data exfiltration via DNS tunneling indicators
  • Reconnaissance activity through enumeration of queried domains

Result

Screenshot 2026-01-20 at 14 15 43

Query results show cached DNS entries with domain names and record types. Results are filtered to exclude reverse lookups, Active Directory service records, and local names to reduce noise.

Platform

windows

Interval

900 seconds (15 minutes)

Query ID

dns_cache_snapshot_windows_elastic

ECS Field Mappings

  • event.category["network"] (static)
  • event.action"osquery.dns_cache" (static)
  • dns.question.namequery_name
  • dns.question.typequery_type
  • tags["osquery", "network", "dns", "windows", "threat_hunting"] (static)

SQL Query

-- Windows DNS Cache Snapshot
-- Enumerates recently resolved domains from the DNS resolver cache
-- Limitation: Shows domain names and record types, but NOT resolved IP addresses
-- Cache entries expire based on TTL (max 24 hours by default)
SELECT
    name AS query_name,
    type AS query_type,
    flags
FROM dns_cache
WHERE name != ''
    -- Filter out reverse DNS lookups (PTR records for IP-to-name resolution)
    AND name NOT LIKE '%.in-addr.arpa'
    AND name NOT LIKE '%.ip6.arpa'
    -- Filter out Active Directory service location records
    AND name NOT LIKE '_ldap%'
    AND name NOT LIKE '_kerberos%'
    AND name NOT LIKE '_gc%'
    -- Filter out local names
    AND name NOT LIKE 'localhost%'
    AND name NOT LIKE 'wpad%'
ORDER BY name
🪟 Windows - DNS Event Log with Process Context

Description

Queries the Windows DNS Client Operational event log for DNS query completion events (Event ID 3008). Provides full DNS query details including query name, record type, resolved answer, and process context with hashes when the originating process is still running.

PREREQUISITE: DNS Client Operational logging must be enabled via:

  • Command: wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true
  • Or via Group Policy: Computer Config > Admin Templates > Network > DNS Client > Turn on logging

Detection Focus:

  • Full DNS query and response correlation (domain + resolved IP)
  • Process attribution for DNS queries (which process queried what domain)
  • Suspicious process DNS activity (malware beaconing, C2 communication)
  • Hash-based threat intelligence lookup via VirusTotal links

Result

Screenshot 2026-01-20 at 14 16 02

Query results show DNS query events with full details including the queried domain, record type, resolved answer (IP addresses), and process context (name, path, command line, hashes) when the originating process is still running at query time.

Platform

windows

Interval

900 seconds (15 minutes)

Query ID

dns_event_log_windows_elastic

ECS Field Mappings

  • event.category["network"] (static)
  • event.action"osquery.dns_event_log" (static)
  • dns.question.namequery_name
  • dns.question.typequery_type
  • dns.answers.dataanswer
  • process.pidpid
  • process.nameprocess_name
  • process.executableprocess_path
  • process.command_lineprocess_cmdline
  • process.hash.md5md5
  • process.hash.sha256sha256
  • tags["osquery", "network", "dns", "windows", "event_log", "requires_config"] (static)

SQL Query

-- Windows DNS Client Event Log with Process Context
-- Queries DNS query completion events from the DNS Client Operational log
-- Enriches with process path, cmdline, and hashes when process is still running
-- PREREQUISITE: DNS Client Operational logging must be enabled:
--   wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true
-- Or via Group Policy: Computer Config > Admin Templates > Network > DNS Client > Turn on logging
-- Event ID 3008 = DNS query completed
SELECT
    w.datetime AS event_time,
    w.eventid,
    w.pid,
    JSON_EXTRACT(w.data, '$.EventData.QueryName') AS query_name,
    JSON_EXTRACT(w.data, '$.EventData.QueryType') AS query_type,
    JSON_EXTRACT(w.data, '$.EventData.QueryResults') AS answer,
    p.name AS process_name,
    p.path AS process_path,
    p.cmdline AS process_cmdline,
    h.md5,
    h.sha256,
    'https://www.virustotal.com/gui/file/' || h.sha256 AS vt_link
FROM windows_eventlog w
LEFT JOIN processes p ON w.pid = p.pid
LEFT JOIN hash h ON h.path = p.path
WHERE w.channel = 'Microsoft-Windows-DNS-Client/Operational'
    AND w.eventid = 3008

Comparison with between the queries

Feature DNS Cache Query DNS Event Log Query
Query Name
Query Type
Answer/IP
Process PID
Process Path ✅*
Process Cmdline ✅*
Process Hashes ✅*
Always Works ⚠️ Requires config

*Process context available only when the originating process is still running at query time.

@tomsonpl
Add Windows DNS queries (cache + event log) for threat hunting
cf20d9e 
  - dns_cache_snapshot_windows_elastic: Cached DNS queries from dns_cache table
  - dns_event_log_windows_elastic: DNS Client event log with process context
  - Update artifacts_matrix.md with new DNS artifacts (#26, #27)
@tomsonpl tomsonpl requested a review from a team as a code owner January 20, 2026 13:18
@tomsonpl tomsonpl requested review from calladoum-elastic, ferullo, paul-tavares and pzl and removed request for a team, paul-tavares and pzl January 20, 2026 13:18
@elasticmachine
Copy link

elasticmachine commented Jan 20, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferullo ferullo ferullo approved these changes

@calladoum-elastic calladoum-elastic Awaiting requested review from calladoum-elastic

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tomsonpl @elasticmachine @ferullo @andrewkroh