Sysmon DNS Event Auditing (Windows 2008 R2)

TL;DR

This guide shows you how to audit Sysmon event ID 10 (DNS events) on Windows Server 2008 R2. We’ll cover configuring Sysmon, filtering for useful information, and viewing the logs in Event Viewer.

Configuring Sysmon

1. Download Sysmon: Get the latest version from the official GitHub repository.
2. Extract the Files: Unzip the downloaded archive to a folder on your server (e.g., C:Sysmon).
3. Create a Configuration File: Sysmon uses an XML configuration file to define what events it logs. Create a new text file named config.xml in the same folder as the Sysmon executable. A basic DNS config looks like this:

   <Sysmon schemaversion="4.82">
     <EventFiltering>
       <RuleGroup name="DNS" groupRelation="or">
         <Network eventID="10">
           <Include Protocol="UDP" />
           <Include Port="53" />
         </Network>
       </RuleGroup>
     </EventFiltering></Sysmon>

   This configuration logs all UDP traffic on port 53 (DNS).

4. Install Sysmon: Open an elevated command prompt and navigate to the Sysmon folder. Run the following command:

   Sysmon.exe -i config.xml

   If successful, you’ll see a message indicating that Sysmon has been installed.

Filtering DNS Events

1. Refine the Configuration (Optional): The basic configuration logs *all* DNS traffic. You can refine it to focus on specific domains or IPs:
   • Specific Domain: Add a Domain filter within the Network rule.

     <Network eventID="10">
       <Include Protocol="UDP" />
       <Include Port="53" />
       <Include Domain="example.com" />
     </Network>

   • Specific IP Address: Add an IPAddress filter.

     <Network eventID="10">
       <Include Protocol="UDP" />
       <Include Port="53" />
       <Include IPAddress="192.168.1.100" />
     </Network>

2. Reload Sysmon: After making changes to config.xml, reload Sysmon:

   Sysmon.exe -c config.xml

Viewing DNS Events in Event Viewer

1. Open Event Viewer: Search for “Event Viewer” in the Start menu and open it.
2. Navigate to Sysmon Logs: Expand Applications and Services Logs, then find and select Sysmon.
3. Filter Current Log: In the right-hand pane, click Filter Current Log....
4. Event ID Filter: Select Event IDs and enter 10 in the text box. Click OK. This will show only DNS events.
5. Examine Event Details: Double-click an event to view its details. Key fields include:
   • UtcTime: Timestamp of the event.
   • Computer: The hostname of the server where the event occurred.
   • EventData: Contains detailed information about the DNS query, including the queried domain, IP address, and response.

Troubleshooting

• Sysmon Not Running: Check Task Manager (Ctrl+Shift+Esc) to ensure Sysmon.exe is running. If not, try reinstalling Sysmon.
• No Events Logged: Verify your configuration file is valid and that the filters are correctly configured. Double-check network connectivity.