Update Sysmon.md

darkoperator · web-flow · commit 0149f17c1e14 · 2020-07-10T12:46:47.000-04:00
diff --git a/Sysmon.md b/Sysmon.md
@@ -1544,7 +1544,11 @@ Example of libraries leveraged by attackers
 
 ## Network Connections
 
-Sysmon will log **EventID 3** for all TCP and UDP network connections. This event will generate a large number of entries and filtering should be tuned for specific processes and ports. For the DestinationHostname, the GetNameInfo API is used and it will often not have any information and may just be a CDN, making it NOT reliable for filtering. For the DestinationPortName, the GetNameInfo API is used for the friendly name of ports. In the case of services doing connections on some systems due to memory use, they are hosted under svchost.exe and most connections will originate from this process.
+Sysmon will log **EventID 3** for all TCP and UDP network connections. This event will generate a large number of entries and filtering should be tuned for specific processes and ports. 
+
+For the DestinationHostname, the GetNameInfo API is used and it will often not have any information and may just be a CDN, making it NOT reliable for filtering since it uses a reverse DNS Lookup to get this information, in Sysmon v11.0 this behaviour can be disabled by using the ```<DnsLookup>True</DnsLookup>``` at the root of the confifuration file. 
+
+For the DestinationPortName, the GetNameInfo API is used for the friendly name of ports. In the case of services doing connections on some systems due to memory use, they are hosted under svchost.exe and most connections will originate from this process.
 
 The fields for the event are:
 
@@ -1584,6 +1588,7 @@ The fields for the event are:
 
 * **DestinationPortName**: Name of the destination port
 
+
 Example tracking connections for attacker "Living off the land"
 
 ```xml
