How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

cancel
Showing results for 
Search instead for 
Did you mean: 

How can Cortex XDR Pro find the origin process from a DNS request if the process not uses DnsQueryEx RPC Call

L1 Bithead

Hi Community,


Is somebody able to explain if Cortex XDR Pro is able to find the origin process if you have the DNS Query? A lot of windows internal process uses rpc calls to a svchhost.exe, which then makes the dns resolving, which is cortex xdr pro the source of a searched dns request. If i understand this articel right: https://stackoverflow.com/questions/62777128/per-process-dns-in-windows only process with api call to DnsQueryEx can traced back to the process which was the origin of a dns request. How can we find all other process which not uses the rpc DnsQueryEx? Is there a hook to a svchost which loads dnsrslvr.dll, if yes how can we get the information to find the origin process of the dns request?

 

thx for any ideas

3 REPLIES 3

L3 Networker

@fhu_omi What is the use cases behind this post?

If I understand your question right you are looking to find the origin process which requested "svchost.exe dnscache" for a name resolution for a domain name?

You are not interested in knowing the process which makes direct call to DnsQueryEx API, correct?

Kind Regards
KS

Hi @KanwarSingh01,

 

The usecase is, that we saw on firewall dns request which where sinkholed. Now we need to know which process was the cause. We nailed it down to the svchost.exe dnscache, but we need process which made the dns request to svchost.exe dnscache. As i understand, if a process is programmed to use the api call DnsQueryEx, then is no svchost.exe involved and Cortex XDR is able to show direct the right process.

 

Kind regards

FH

L3 Networker

Hi @fhu_omi 

Don't think so this is possible, cause the call to "dnscache svchost.exe process" relays the request on behalf of the process. But you can consider this to trace a process making calls to malicious domain.

When a process which makes network comms to an external domain will lookup for ip address resolution via svchost.exe process and then DNS sinkhole will return a response if the IP is malicious with a sink hole IP, now we have an answer to a query which will be IP address aaa.bbb.ccc.ddd for example.

Now, the process which asked for the lookup will get answer to the query via svchost.exe from Sink hole and then will start making network connection to the returned IP, from here what you can do is you can lookup for the process which is making IP address comms to your sink hole address via cortex queries etc and you will get your possible trace for the malicious DNS request.

Please make sure your DNS Sinkhole return IP for malicious query should be a reachable IP address probably somewhere on network device or some server which points to a dead end but have ports such as 443,80,53,445 etc enabled. So that your network comms get a valid reply.

 

These are just my thoughts. Please let me know, if that was helpful.

Thank You.

Kind Regards
KS
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!