topic How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call in Cortex XDR Discussions

How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

fhu_omi — Wed, 27 Apr 2022 14:58:07 GMT

Hi Community,

Is somebody able to explain if Cortex XDR Pro is able to find the origin process if you have the DNS Query? A lot of windows internal process uses rpc calls to a svchhost.exe, which then makes the dns resolving, which is cortex xdr pro the source of a searched dns request. If i understand this articel right: https://stackoverflow.com/questions/62777128/per-process-dns-in-windows only process with api call to DnsQueryEx can traced back to the process which was the origin of a dns request. How can we find all other process which not uses the rpc DnsQueryEx? Is there a hook to a svchost which loads dnsrslvr.dll, if yes how can we get the information to find the origin process of the dns request?

thx for any ideas

Re: How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

KanwarSingh01 — Sat, 30 Apr 2022 14:46:47 GMT

@fhu_omi What is the use cases behind this post?

If I understand your question right you are looking to find the origin process which requested "svchost.exe dnscache" for a name resolution for a domain name?

You are not interested in knowing the process which makes direct call to DnsQueryEx API, correct?

Re: How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

fhu_omi — Tue, 03 May 2022 05:54:07 GMT

Hi @KanwarSingh01,

The usecase is, that we saw on firewall dns request which where sinkholed. Now we need to know which process was the cause. We nailed it down to the svchost.exe dnscache, but we need process which made the dns request to svchost.exe dnscache. As i understand, if a process is programmed to use the api call DnsQueryEx, then is no svchost.exe involved and Cortex XDR is able to show direct the right process.

Kind regards

Re: How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

KanwarSingh01 — Tue, 03 May 2022 06:36:15 GMT

Hi @fhu_omi

Don't think so this is possible, cause the call to "dnscache svchost.exe process" relays the request on behalf of the process. But you can consider this to trace a process making calls to malicious domain.

When a process which makes network comms to an external domain will lookup for ip address resolution via svchost.exe process and then DNS sinkhole will return a response if the IP is malicious with a sink hole IP, now we have an answer to a query which will be IP address aaa.bbb.ccc.ddd for example.

Now, the process which asked for the lookup will get answer to the query via svchost.exe from Sink hole and then will start making network connection to the returned IP, from here what you can do is you can lookup for the process which is making IP address comms to your sink hole address via cortex queries etc and you will get your possible trace for the malicious DNS request.

Please make sure your DNS Sinkhole return IP for malicious query should be a reachable IP address probably somewhere on network device or some server which points to a dead end but have ports such as 443,80,53,445 etc enabled. So that your network comms get a valid reply.

These are just my thoughts. Please let me know, if that was helpful.

Thank You.