To tracks the DNS request back to a PC you can use cisco umbrella or watching the DNS debug logs on the DNS server. That will tell you the IP of the machine the DNS requests are coming from but you may want to know what process its coming from.
There are a few tools you can use
Microsoft Sysmon (sysinternals)
1 - Download sysmon
https://technet.microsoft.com/en-us/sysinternals/sysmon
2 - Download swift security profile
https://github.com/SwiftOnSecurity/sysmon-config
3 - Install sysmon with the swift security profile
Sysmon.exe -accepteula -i .\sysmonconfig-export.xml
4 - Open event viewer and check the sysmon logs
Eventvwr.msc
Applications and services logs -> Microsoft -> Windows -> Sysmon
Right click -> find search for URL
You will see the process under image name.
Wireshark
Won't show you the process it came from but you should see when requests are happening
Useful capture filters
Show all dns traffic:
dns
Show DNS requests to the URL and also any connections to its IP, URL = x1.c.lencr.org, nslooked up to 23.72.154.199
(ip.dst == 23.72.154.199) or ((dns.qry.name == x1.c.lencr.org))
Look for all DNS requests coming from my PC 192.168.1.10
(dns.flags.response == 0) and (ip.src == 192.168.1.10) and (dns.qry.name == x1.c.lencr.org)
tcpview
Someuser report success using TCP view. Nslookup the URL -> IP then watch TCPview for connections to that IP. Usually a connection to the IP will happen straight after a DNS request
Uncheck TCPv6 etc if this is not your traffic. A good place to start is IPv4 only and then search for the IP, we should see a module/process
No comments:
Post a Comment