DNS lookup investigation

Fate qui le vostre presentazioni :)

DNS lookup investigation

Messaggioda RoaldPatfick » gio gen 07, 2021 11:41 am

Hi everyone!

Please help me with little but urgent task

I need to identify which application/image/process performs DNS lookup for some hostname

For example;

I see that one of my PC generates DNS lookup for some hostname, for example DNS lookup for xxxxxx.com

My goal is to identify what image\process\application generate network traffic to that hosname

Very IMPORTANT to note, that xxxxxx.com is not resolvable to IP address (I am investigating unknown malware case ), xxxxxx.com was generated by Domain Generation Algorithm (common for malware)

I tried use sysinternals tools. I used system explorer and Microsoft Message Analyzer

With help of message analyzer I piked up DNS query and processid. In process explorer I found that process, but the problem is:

1) most dns querys are handled by svchost.exe

2) I don't see original application, I see that svhost.exe sends DNS query to my DNS server

For example when I try to reach xxxxxx.com from browser I see that svchost.exe performs DNS lookup to my DNS server, and process ID is 444 (whis is common for svchost.exe).

My goal is to see what original application or image search xxxxxx.com For example I need to see that Firefox browser did a call to svchost.exe for xxxxxxx.com hostname resolve

How do think is is possible ?
Avatar utente
RoaldPatfick
 
Messaggi: 2
Iscritto il: mar dic 29, 2020 5:40 am

Torna a Presentazioni

Chi c’è in linea

Visitano il forum: Nessuno e 0 ospiti