empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
fleet/schema/tables/dns_cache.yml
Josh Brower 4c73ccb338
Add additional Windows tables to schema (#8817) 
* Add dns_cache

* Add ntdomains

* Add userassist

* add shimcache

* Spacing
2022-11-28 10:00:23 -05:00

17 lines
1.1 KiB
YAML
Raw Permalink Blame History

name: dns_cache
examples: >-
An integral part of incident response is understanding all systems that may have been compromised. To help with this, a query like the following will return positive for a system that has resolved a domain that contains `baddomain`. It's important to note that a system will only cache the DNS mapping for a limited time - see Notes below for further information.
```
SELECT name, type FROM dns_cache WHERE name LIKE '%baddomain%';
```
notes: >-
This table pulls from the local system's DNS cache. By default, the local DNS cache entry for a domain will be removed once the TTL for the domain has expired. For instance, osquery.io has a TTL of 60 seconds. When this domain has been resolved on a local Windows system, the DNS mapping will expire in 60 seconds from the resolution time - so `SELECT * FROM dns_cache WHERE name = 'osquery.io'` will only return results during that 60 second window.
Windows has a maximum time that it allows a cache entry to exist- by default, it is 1 day. If the domain has a TTL of greater than 1 day, Windows will still remove the DNS entry from its cache after 1 day.
Reference in New Issue View Git Blame Copy Permalink