Executes a DNS query (DNSEvent)

What is DNS?

The Domain Name System (DNS) is the "phonebook" of the Internet. Humans access information online through domain names e.g. www.google.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources. The purpose of DNS servers is to eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4).

DNSEvent

This event is generated when a process executes a DNS query, whether the result is successful or fails, cached or not.
Attackers often leverage DNS for C2 by putting commands into the domain name fields in DNS lookups, and encoding the commands such that they look like valid domains. Compromised devices send these DNS lookups to their DNS server, which will pass the lookups upstream, eventually hitting the malicious DNS server.
References:
 
Example of DNS queries made by msedge.exe:
notion image
Why does msedge.exe makes DNS queries?
This happens when we type in a domain name ( www.example.com ) into the browser. The browser checks its cache and the computer's cache for the DNS records for that match the domain name we entered. If it succeeds, it requests the page from the website's host. Long story short, it is how the browser finds websites.
 
Does chrome.exe make DNS queries as well? Of course it does.
notion image
*Every browser has to make DNS queries in order to find websites.
 
There are other processes that also make DNS queries. Below are more examples:
Other processes that executes DNS queries
Process Name
What is it?
An internal search tool run by Cortana
A shared service process that allows many Windows services to share a single process
A process which belongs to the Microsoft Visual Studio
A process which runs the Windows OS print spooler service
Likely the reason why these processes are executing DNS queries is to try to access websites for drivers, application updates etc.
Â