Windows Event Log triggers a ping command with the event as the subdomain when a high-risk event happens. The domain does not exist, but the DNS query is stored in the DNS log and can be used to generate alerts.
-
Supply Chain Safety: Supply chain attacks are increasingly frequent; DNSCollect offers an agent-less approach, reducing potential vulnerabilities.
-
Remote Collections: DNSCollect capitalizes on DNS queries, enabling seamless remote event log collections without needing installations or intrusive permissions.
It is still in beta and will benefit from real-world testing. If you're in cybersecurity or just curious, we'd appreciate it if you could take DNSCollect for a spin. Your feedback can be invaluable in refining and enhancing this tool for the community.
- Open the Task Scheduler in Windows
- Select "Import Task"
- Choose the event file we provided for you
- In "Change User or Group," and type Administrators to run this task
- Go to "Settings" and choose the setting from "Do not start a new instance" to "Stop the existing instance." Otherwise, the task will stuck in the previous instance
- Go to "Actions" and choose the cmd.bat file
- Finished
DNSCollect_in_Task.Scheduler_compressed.mp4
When someone tries to log in to your device but fails, the task schedule will start the event and send a record to Our DNS Server.
EventID.4625_compressed.mp4
Changing the setting of any account will trigger our events and send a record to Our DNS Server. If you do not have any memory for those changes, please pay attention to your device to see if it has been accessed unauthorizedly.
EventID.4732_compressed.mp4
- You can use the "Search" function and type "Task Scheduler"
- You can also press "Windows + R" to open the Run window and type this command "taskschd.msc"
- An EventID is a unique identifier assigned to specific events in the Windows Event Log. It's important in DNSCollect because certain EventIDs trigger actions and alerts within the tool.
- DNSCollect allows some degree of customization to specify actions for specific EventIDs. You can configure it to react differently based on your monitoring needs.
- If you encounter problems with DNSCollect's EventID monitoring, consult the tool's documentation or community support resources for troubleshooting guidance.
DNSCollect is sponsored by AP Lens (Whitelist DNS Firewall with Web Proxy)
當發生高風險事件時,Windows事件日誌會以事件作為子域名觸發ping命令。該域名不存在,但DNS查詢會存儲在DNS日誌中,可用於生成警報。
-
供應鏈安全: 供應鏈攻擊日益頻繁;DNSCollect 提供無需代理的方法,降低了潛在的漏洞風險。
-
遠程收集: DNSCollect 利用 DNS 查詢,實現無需安裝或入侵性權限的無縫遠程事件日誌收集。
它仍然處於測試階段,將從實際測試中受益。如果您是網絡安全專業人員,或者只是好奇的話,我們將不勝感激,如果您能試用 DNSCollect。您的反饋對於完善和增強這個工具對社區來說非常寶貴。
- 打開 Windows 的任務計劃程序
- 選擇 "匯入任務"
- 選擇我們為您提供的事件文件
- 在 "更改用戶或組" 中,輸入 "Administrators" 以運行此任務
- 轉到 "設置",從 "不啟動新實例" 選擇到 "停止現有實例"。否則,任務將卡在之前的實例中
- 轉到 "操作",選擇 cmd.bat 文件
- 完成
DNSCollect_in_Task.Scheduler_compressed.mp4
當有人嘗試登錄您的設備但失敗時,任務計劃將啟動事件並將記錄發送到我們的DNS服務器。
EventID.4625_compressed.mp4
更改任何帳戶的設置將觸發我們的事件並將記錄發送到我們的DNS服務器。如果您對這些更改沒有記憶,請注意您的設備是否已被未經授權訪問。
EventID.4732_compressed.mp4
- 事件ID是分配給Windows事件日誌中特定事件的唯一標識符。在DNSCollect中,某些事件ID會觸發工具內的操作和警報,因此具有重要性。
- DNSCollect允許在某種程度上自定義,以指定對特定事件ID做出回應的操作。您可以根據您的監控需求配置它,使其根據需要以不同方式作出反應。
- 如果您在使用DNSCollect的事件ID監控過程中遇到問題,請參考工具的文檔或社區支援資源,以獲得故障排除指南。
- 您可以使用"搜尋"功能,然後輸入"Task Scheduler"。
- 您也可以按下"Windows + R"來打開執行視窗,然後輸入這個命令"taskschd.msc"。
DNSCollect 得到 AP Lens 的贊助(白名單DNS防火墻與Web代理)。