Hi. I saw an alert on my SIEM internal host accessed naughty external IP address (turned out to be a false positive). The source host's Sysmon log reveals that MsMpEng.exe made a DNS query to <pseudo_bad_ip> but also to 'good' IPs. The IP lookup appear to have occurred as a result of the user hitting a webpages and multiple embedded links were processed in the background.
I started digging and saw that sometimes MsMpEng.exe does DNS queries, sometimes it does not. To test, I typed URLs manually in Chrome and Firefox and saw that the DNS queries were attributed to their respective processes. MsMpEng.exe was not in the loop this time.
Does anyone know why this is happening? I am seeing that across all Win 10 hosts I checked, this appears to be an expected behavior but I can't find anything on the web.
Does anyone know why this is happening?
Yes, Smartscreen.
https://
regards, Robin