-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdns-client.json
More file actions
420 lines (420 loc) · 15.7 KB
/
Copy pathdns-client.json
File metadata and controls
420 lines (420 loc) · 15.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
{
"dataset": {
"name": "EID Quick Reference - DNS Client",
"version": "1.4.0",
"generatedAt": "2026-04-12T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/dns-client.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 3006,
"log": "DNSClient",
"provider": "Microsoft-Windows-DNS-Client",
"channel": "Microsoft-Windows-DNS-Client/Operational",
"level": "Information",
"title": "DNS query initiated",
"summary": "The DNS client sent a query to resolve a name.",
"details": "Generated when the Windows DNS client initiates a query to resolve a hostname or other DNS record type. This event provides full DNS query visibility at the host level, making it the primary data source for DNS-based C2 and tunneling detection. Indicators of compromise in DNS queries include excessively long subdomains (>50 characters) indicating DNS tunneling, high-frequency queries to a single parent domain, high-entropy domain names (DGA patterns), and TXT or NULL record queries from non-mail applications. This channel is disabled by default and volume can be extremely high on active endpoints.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The DNS Client operational log channel is disabled by default and must be enabled before events are collected.",
"command": "wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true"
}
],
"category": "DNS",
"tags": [
"dns",
"c2",
"dns-tunneling",
"exfiltration",
"dga"
],
"relatedEventIds": [
{
"id": 3008,
"log": "DNSClient"
},
{
"id": 3010,
"log": "DNSClient"
},
{
"id": 22,
"log": "Sysmon"
},
{
"id": 1,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1071.004",
"techniqueName": "Application Layer Protocol: DNS",
"tactics": [
{
"tacticId": "TA0011",
"tacticName": "Command and Control"
}
]
},
{
"techniqueId": "T1568.002",
"techniqueName": "Dynamic Resolution: Domain Generation Algorithms",
"tactics": [
{
"tacticId": "TA0011",
"tacticName": "Command and Control"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Flag QueryName values with subdomains longer than 50 characters — this is a strong DNS tunneling indicator",
"High-frequency queries (>100/min) to a single parent domain from a single process indicate beaconing or tunneling",
"TXT or NULL record queries (QueryType) from non-mail, non-internal processes are anomalous",
"Calculate entropy of QueryName — high entropy base domains with many unique subdomains indicate DGA activity"
],
"commonFalsePositives": [
"Any legitimate DNS resolution — this event fires for all name lookups and must be filtered by anomaly patterns",
"CDN and cloud services that use long subdomain-encoded parameters in their hostnames",
"Security tools that perform DNS lookups for threat intelligence enrichment"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "QueryName",
"xpath": "EventData/Data[@Name='QueryName']",
"description": "The hostname or DNS name being resolved"
},
{
"name": "QueryType",
"xpath": "EventData/Data[@Name='QueryType']",
"description": "DNS record type (A, AAAA, TXT, MX, NULL, etc.)"
},
{
"name": "ServerList",
"xpath": "EventData/Data[@Name='ServerList']",
"description": "DNS server the query was sent to"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 3008,
"log": "DNSClient",
"provider": "Microsoft-Windows-DNS-Client",
"channel": "Microsoft-Windows-DNS-Client/Operational",
"level": "Warning",
"title": "DNS query failed",
"summary": "The DNS client failed to resolve a name (NXDOMAIN, timeout, or server error).",
"details": "Generated when the Windows DNS client receives a failure response or times out when resolving a name. Failed DNS queries are significant for two detection scenarios: (1) DGA-based C2 malware generates large volumes of NXDOMAIN failures as it cycles through generated domain names looking for a live C2 domain; (2) DNS tunneling failures may indicate an endpoint attempting to reach a tunneling server that has been taken down. The QueryName field on failed queries retains the full lookup target, preserving the name even when no answer was returned. Requires DNS Client operational log to be enabled.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The DNS Client operational log channel is disabled by default and must be enabled before events are collected.",
"command": "wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true"
}
],
"category": "DNS",
"tags": [
"dns",
"nxdomain",
"dga",
"c2",
"dns-tunneling"
],
"relatedEventIds": [
{
"id": 3006,
"log": "DNSClient"
},
{
"id": 3010,
"log": "DNSClient"
},
{
"id": 22,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1568.002",
"techniqueName": "Dynamic Resolution: Domain Generation Algorithms",
"tactics": [
{
"tacticId": "TA0011",
"tacticName": "Command and Control"
}
]
},
{
"techniqueId": "T1071.004",
"techniqueName": "Application Layer Protocol: DNS",
"tactics": [
{
"tacticId": "TA0011",
"tacticName": "Command and Control"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"High volume NXDOMAIN failures from a single process over a short period is the primary DGA indicator",
"Collect all failed QueryName values and calculate n-gram frequency — DGA names have low n-gram frequency compared to legitimate English names",
"A sudden spike in NXDOMAIN failures followed by a successful resolution (EID 3010) to an unusual domain indicates DGA C2 check-in"
],
"commonFalsePositives": [
"Mistyped hostnames or stale DNS entries in application configurations",
"Browsers pre-fetching link targets that are no longer valid",
"Software that attempts to resolve internal hostnames when off-network (laptop disconnected from VPN)"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "QueryName",
"xpath": "EventData/Data[@Name='QueryName']",
"description": "The hostname that failed to resolve"
},
{
"name": "QueryType",
"xpath": "EventData/Data[@Name='QueryType']",
"description": "DNS record type requested"
},
{
"name": "QueryStatus",
"xpath": "EventData/Data[@Name='QueryStatus']",
"description": "Error code for the failure (NXDOMAIN, SERVFAIL, timeout, etc.)"
},
{
"name": "ServerList",
"xpath": "EventData/Data[@Name='ServerList']",
"description": "DNS server the query was sent to"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 3010,
"log": "DNSClient",
"provider": "Microsoft-Windows-DNS-Client",
"channel": "Microsoft-Windows-DNS-Client/Operational",
"level": "Information",
"title": "DNS query completed",
"summary": "The DNS client received a successful response for a query.",
"details": "Generated when the DNS client successfully resolves a name. Successful DNS resolutions are the companion to EID 3006 (query initiated) and provide the final resolved IP address, which is critical for correlating DNS-based C2 with subsequent network connections. For DNS tunneling detection, TXT record responses with high-entropy base64 or hex payloads indicate data being transferred via DNS. Requires DNS Client operational log to be enabled.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The DNS Client operational log channel is disabled by default and must be enabled before events are collected.",
"command": "wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true"
}
],
"category": "DNS",
"tags": [
"dns",
"resolution",
"c2",
"dns-tunneling"
],
"relatedEventIds": [
{
"id": 3006,
"log": "DNSClient"
},
{
"id": 3008,
"log": "DNSClient"
},
{
"id": 3020,
"log": "DNSClient"
},
{
"id": 22,
"log": "Sysmon"
},
{
"id": 3,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1071.004",
"techniqueName": "Application Layer Protocol: DNS",
"tactics": [
{
"tacticId": "TA0011",
"tacticName": "Command and Control"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"QueryResults (resolved IP) is the pivot to network connection logs — look for outbound connections to the IP immediately after this event",
"Repeated successful resolutions of the same domain to different IPs may indicate fast-flux C2 infrastructure",
"TXT record QueryResults containing high-entropy data are a DNS tunneling indicator"
],
"commonFalsePositives": [
"All successful DNS lookups generate this event — filter by anomalous QueryName patterns to reduce noise"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "QueryName",
"xpath": "EventData/Data[@Name='QueryName']",
"description": "The hostname that was resolved"
},
{
"name": "QueryType",
"xpath": "EventData/Data[@Name='QueryType']",
"description": "DNS record type"
},
{
"name": "QueryResults",
"xpath": "EventData/Data[@Name='QueryResults']",
"description": "Resolved IP address or record value; pivot point for correlating with subsequent network connections"
},
{
"name": "ServerList",
"xpath": "EventData/Data[@Name='ServerList']",
"description": "DNS server that provided the answer"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 3020,
"log": "DNSClient",
"provider": "Microsoft-Windows-DNS-Client",
"channel": "Microsoft-Windows-DNS-Client/Operational",
"level": "Information",
"title": "DNS query answered from cache",
"summary": "A DNS name was resolved from the local DNS client cache rather than queried to a server.",
"details": "Generated when the DNS client resolves a name using a cached entry rather than sending a new query to a DNS server. Cache hits indicate a name was recently resolved (a fresh EID 3010 event should exist nearby). DNS cache poisoning attacks may cause this event to return attacker-controlled IPs for legitimate domains without generating a corresponding upstream query. If EID 3020 returns an unexpected IP for a known-good domain and no matching EID 3006/3010 exists, the cache entry may be poisoned. Requires DNS Client operational log to be enabled.",
"prerequisites": [
{
"type": "log-enablement",
"description": "The DNS Client operational log channel is disabled by default and must be enabled before events are collected.",
"command": "wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true"
}
],
"category": "DNS",
"tags": [
"dns",
"cache",
"dns-poisoning",
"c2"
],
"relatedEventIds": [
{
"id": 3006,
"log": "DNSClient"
},
{
"id": 3010,
"log": "DNSClient"
},
{
"id": 22,
"log": "Sysmon"
}
],
"mitreAttack": [
{
"techniqueId": "T1557",
"techniqueName": "Adversary-in-the-Middle",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
},
{
"tacticId": "TA0009",
"tacticName": "Collection"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Compare QueryResults IP against the expected IP for the domain — unexpected IPs indicate cache poisoning",
"A cache hit with no preceding EID 3010 in the relevant time window is anomalous and may indicate injected cache entries",
"Run ipconfig /displaydns to inspect the full cache state if poisoning is suspected"
],
"commonFalsePositives": [
"Any repeated DNS resolution within the cache TTL — the vast majority of cache hits are legitimate"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"keyFields": [
{
"name": "QueryName",
"xpath": "EventData/Data[@Name='QueryName']",
"description": "The hostname resolved from cache"
},
{
"name": "QueryType",
"xpath": "EventData/Data[@Name='QueryType']",
"description": "DNS record type"
},
{
"name": "QueryResults",
"xpath": "EventData/Data[@Name='QueryResults']",
"description": "Cached IP address or record value; unexpected IPs for known-good domains may indicate cache poisoning"
}
],
"lastReviewed": "2026-04-10"
}
]
}