Title
#general
b

Brandon

03/25/2021, 12:15 AM
anyone know how to collect dns requests made?
CptOfEvilMinions

CptOfEvilMinions

03/25/2021, 2:38 PM
I think you are referring to this blog post by Uptycs which has the following table:
dns_lookup_events
. I think that table is only available on Uptyc’s Osquery agent only, I don’t see that table listed on the open source version of Osquery: https://osquery.io/schema/4.7.0/ However, if your on a Windows platform you can enumerate the DNS cache with the
dns_cache
table.
Mike Myers

Mike Myers

03/25/2021, 4:06 PM
We've experimented with catching DNS on Linux using an extension: https://github.com/trailofbits/osquery-extensions/tree/master/network_monitor
b

Brandon

03/25/2021, 4:42 PM
I think being able to timebox a DNS record to an IP would heavily enrich the process connections table extremely well. I don't know the resource increase by passively monitoring interfaces but from an investigation standpoint this is one of my biggest gaps in a zero trust environment (e.g. I don't have bottleneck egress)
terracatta

terracatta

03/25/2021, 6:54 PM
Zeek is also a great NSM agent that has several solutions with combining data to osquery
6:55 PM
IMO zeek is a purpose built for this type of network style monitoring they also have https://github.com/zeek/zeek-agent which can actually augment the network data with process info from osquery
6:55 PM
assuming you have both installed
b

Brandon

03/25/2021, 11:04 PM
Love zeek but fill that is overkill for this request
w

WS

03/26/2021, 12:13 AM
i would love to see
dns_lookup_events
and
http_event
built into native osquery. in a remote world w/ covid, having that data come from the endpoint and not tied to a specific office or physical location, is huge.
12:14 AM
even when most people were in an office, i’d much rather gather this data from the endpoint. “welp, all the post exploitation activity happened when they were at home so none of our C2 alerts fired”
b

Brandon

03/26/2021, 1:34 PM
That would be amazing teto have those two. Anyone looked at what the lift would be?
o

OpenPlgx

03/31/2021, 11:43 AM
On Windows, We have it thru an extension: https://github.com/polylogyx/osq-ext-bin