Windows Event ID 22 — DNS Query

MITRE ATT&CK

Why It Matters

Modern malware communicates over DNS because DNS traffic is allowed through almost every firewall and rarely inspected. C2 frameworks like Cobalt Strike, Sliver, and custom implants resolve domain names for their callback servers, and rotate through many domains to evade blocklists. DNS tunneling encodes command-and-control data inside DNS query strings, entirely bypassing network-layer detection. Without Sysmon 22, you know a suspicious domain was resolved — but not which process resolved it. With Sysmon 22, you can immediately answer whether powershell.exe, rundll32.exe, or a legitimate browser made the query. That process context is the difference between a noise alert and a confirmed detection.

Key Fields

Normal vs Suspicious

Investigation Tips

1. 1.Process-DNS anomaly is the primary signal: powershell.exe, wscript.exe, mshta.exe, rundll32.exe, or Office applications (WINWORD.EXE, EXCEL.EXE) querying any external hostname. These processes have no legitimate business performing DNS resolution in most environments. Often appears with Sysmon 3 (network connection) immediately after the successful resolution.
2. 2.DGA detection: a single process generating many NXDOMAIN responses (QueryStatus ≠ 0) in rapid succession — the DGA algorithm generates a pool of candidate domains, the C2 server is registered at only one, so most fail. Alert on any process making 10+ NXDOMAIN DNS queries within 60 seconds.
3. 3.DNS tunneling: look for QueryName values with unusually long subdomains (50+ characters), high-entropy random strings as subdomains, or query patterns where the subdomain changes on every request but the base domain stays constant — exfiltrated data encoded in the subdomain labels.
4. 4.Newly registered domains: enrich QueryName with domain age data (passive DNS, WHOIS). C2 infrastructure is often registered days before use and may not appear on reputation blocklists yet. A domain registered < 30 days ago queried by powershell.exe is high priority.
5. 5.Correlate Sysmon 22 → Sysmon 3: a successful DNS resolution (QueryStatus = 0) should be followed by a Sysmon 3 network connection to the resolved IP within seconds. This chain — DNS query → IP resolution → TCP connection — confirms active C2 communication rather than just passive resolution.
6. 6.High-frequency queries to the same domain from a non-browser process at regular intervals: beacon heartbeat pattern visible at the DNS layer. Even if Sysmon 3 is suppressed or the connection is very short-lived, the DNS query is always visible.

How Attackers Evade This Event

• →DNS over HTTPS (DoH) — C2 domain resolution tunneled inside HTTPS to a DoH provider (8.8.8.8, 1.1.1.1, or a custom resolver); bypasses Sysmon 22 entirely because the DNS protocol is never invoked directly — the query goes via HTTPS and Sysmon sees only a Sysmon 3 connection to the DoH provider's IP
• →Direct IP C2 — bypassing DNS entirely by hardcoding the C2 server IP in the payload; no DNS query means no Sysmon 22 event. QueryName will never appear — only Sysmon 3 to a bare IP reveals the connection.
• →Domain fronting — C2 traffic sent via a legitimate CDN; the DNS query resolves to the CDN's IP (appears legitimate), but the HTTP Host header routes to the actual C2 server. Sysmon 22 shows a legitimate-looking CDN domain being queried.
• →Living-off-the-land DNS — using certutil, bitsadmin, or Invoke-WebRequest to resolve domains; the Image is a known system tool, reducing alert priority even though the QueryName is malicious.
• →Slow beacon with long TTLs — querying the C2 domain very infrequently (once per hour or longer) and relying on DNS caching to avoid repeated Sysmon 22 events between beacons.

Related Event IDs

Frequently Asked Questions

Why is Sysmon Event 22 more useful than network firewall DNS logs for detecting C2?

Firewall and DNS server logs show that a domain was queried from a source IP — but they cannot tell you which process on that IP made the query. In an environment with 100 processes running on a host, knowing the host queried a suspicious domain is a starting point, not a conclusion. Sysmon 22 adds the critical process context: powershell.exe querying the same domain as a browser is a completely different risk level. This process context transforms a network-layer alert into a host-level confirmed indicator, eliminating the correlation step that otherwise requires combining DNS logs with EDR telemetry.

What is a DGA domain and how does Sysmon Event 22 detect it?

DGA (Domain Generation Algorithm) malware generates a large pool of pseudo-random domain names using a seed (often the current date). Only one or a few of these domains are registered by the attacker at any given time; the malware tries each until it finds one that resolves. This produces a characteristic Sysmon 22 pattern: many consecutive NXDOMAIN responses (QueryStatus ≠ 0) from a single non-browser process, followed by a successful resolution. Alert on any process generating 10+ failed DNS queries in under 60 seconds — legitimate applications do not generate NXDOMAIN storms. The QueryName values will be high-entropy strings that are obviously algorithmically generated.

Does Sysmon Event 22 capture DNS-over-HTTPS (DoH) queries?

No — DNS over HTTPS bypasses the standard Windows DNS client entirely. DoH queries go directly to an HTTPS endpoint (port 443) on the DoH provider's IP, so no DNS protocol message is sent and Sysmon 22 never fires. The only Sysmon visibility into DoH is via Sysmon 3 (network connection): a process making many connections to a known DoH provider IP (8.8.8.8, 1.1.1.1, 9.9.9.9) while generating no corresponding Sysmon 22 events is a DoH evasion indicator. Block DoH at the network level and enforce the standard DNS client to maintain Sysmon 22 visibility.

How do I reduce Sysmon Event 22 volume without losing C2 detection coverage?

The key filter is the querying Image. In your Sysmon config, exclude DNS queries from high-volume, low-risk processes: browsers (chrome.exe, msedge.exe, firefox.exe), system processes (svchost.exe), and known security tools. Include all queries from high-risk processes: powershell.exe, cmd.exe, wscript.exe, mshta.exe, cscript.exe, Office applications, and any process in AppData or Temp. This reduces volume by 90%+ while preserving coverage of the processes attackers actually use for C2 communication. Alternatively, collect all Sysmon 22 events but filter in your SIEM — exclude known-good domains (Microsoft, Google, CDNs) and alert on everything else from non-browser processes.