Velocidex · scudette · Apr 13, 2021 · Apr 12, 2021
diff --git a/artifacts/definitions/Windows/ETW/DNSQueriesServer.yaml b/artifacts/definitions/Windows/ETW/DNSQueriesServer.yaml
@@ -0,0 +1,35 @@
+name: Windows.ETW.DNSQueriesServer
+type: CLIENT_EVENT
+
+description: |
+   Logs dns queries on DNS servers. This is handy for identifying the true source system that is initiating malicious dns requests that you observed. Note that this can be resource intensive for the CPU on busy DNS servers - from 5% to 70% CPU load of one core, but memory consumption is very low. This is still a lot less then enabling DNS debug logging. 
+
+author: "Jos Clephas - jos-ir"
+
+parameters:
+  - name: QueryNameRegex
+    default: .
+  - name: SourceIPRegex
+    default: .
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+        SELECT System.TimeStamp as TimeStamp,
+               System.ID as ID,
+               EventData.BufferSize as BufferSize,
+               EventData.Flags as Flags,
+               EventData.InterfaceIP as InterfaceIP,
+               EventData.Port as Port,
+               EventData.QNAME as QNAME,
+               EventData.QTYPE as QTYPE,
+               EventData.RD as RD,
+               EventData.Source as Source,
+               EventData.TCP as TCP,
+               EventData.XID as XID
+        FROM watch_etw(guid="{EB79061A-A566-4698-9119-3ED2807060E7}")
+        WHERE EventData AND
+              QNAME =~ QueryNameRegex AND 
+              Source =~ SourceIPRegex