anyone know how to collect dns requests made

Question

CptOfEvilMinions · Answer

I think you are referring to this which has the following table `dns lookup events` I think that table is only available on Uptyc s Osquery agent only I don t see that table listed on the open source version of Osquery However if your on a Windows platform you can enumerate the DNS cache with the `dns cache` table

Mike Myers · Answer

We ve experimented with catching DNS on Linux using an extension <https github com trailofbits osquery extensions tree master network monitor>

Brandon · Answer

I think being able to timebox a DNS record to an IP would heavily enrich the process connections table extremely well I don t know the resource increase by passively monitoring interfaces but from an investigation standpoint this is one of my biggest gaps in a zero trust environment e g I don t have bottleneck egress

terracatta · Answer

Zeek is also a great NSM agent that has several solutions with combining data to osquery

terracatta · Answer

IMO zeek is a purpose built for this type of network style monitoring they also have <https github com zeek zeek agent> which can actually augment the network data with process info from osquery

terracatta · Answer

assuming you have both installed

Brandon · Answer

Love zeek but fill that is overkill for this request

WS · Answer

i would love to see `dns lookup events` and `http event` built into native osquery in a remote world w covid having that data come from the endpoint and not tied to a specific office or physical location is huge

WS · Answer

even when most people were in an office i d much rather gather this data from the endpoint welp all the post exploitation activity happened when they were at home so none of our C2 alerts fired

Brandon · Answer

That would be amazing teto have those two Anyone looked at what the lift would be

OpenPlgx · Answer

On Windows We have it thru an extension <https github com polylogyx osq ext bin>