DNS

Information

• Name: DNS

• ID: T1590.002

• Tactics:

• Technique:

Introduction

DNS (Domain Name System) is a fundamental protocol used to translate domain names into IP addresses. The MITRE ATT&CK sub-technique T1590.002 specifically addresses adversaries' abuse of DNS for command and control (C2) purposes. Attackers exploit DNS's ubiquity and trusted nature to establish covert communication channels, exfiltrate data, and evade detection. By embedding commands, data, or responses within DNS requests and responses, adversaries can bypass traditional security measures and maintain persistent access to compromised systems.

Deep Dive Into Technique

DNS-based command and control (C2) leverages DNS protocol characteristics to facilitate covert communication between compromised hosts and attacker-controlled servers. The following mechanisms and execution methods are commonly employed:

• DNS Tunneling:

  • Attackers encapsulate arbitrary data within DNS queries or responses, effectively creating a covert communication channel.

  • Data is usually encoded within subdomains or TXT records, enabling attackers to transmit commands, exfiltrate sensitive data, or receive instructions.

  • Tools commonly used for DNS tunneling include Iodine, DNSCat2, DNScapy, and PowerDNS.

• Domain Generation Algorithms (DGAs):

  • Attackers utilize DGAs to dynamically generate pseudo-random domain names, complicating detection and blocking.

  • Infected hosts query numerous domain names generated algorithmically until resolving to an attacker-controlled domain, facilitating C2 communication.

• Fast Flux DNS:

  • Attackers rapidly change DNS records, pointing domain names to numerous IP addresses, making it difficult to track and shut down malicious infrastructure.

  • This technique enhances resiliency and prolongs the lifespan of the C2 infrastructure.

• DNS over HTTPS (DoH) and DNS over TLS (DoT):

  • Attackers use encrypted DNS protocols to hide malicious DNS requests within encrypted traffic, further complicating detection efforts.

When this Technique is Usually Used

Attackers utilize DNS-based command and control in various attack scenarios and stages, including:

• Initial Access and Persistence:

  • After initial compromise, attackers establish DNS-based C2 channels to maintain persistent and stealthy communication with compromised hosts.

• Data Exfiltration Stage:

  • DNS tunneling is frequently employed to exfiltrate sensitive data, bypassing traditional firewall and proxy restrictions.

• Evasion and Defense Avoidance:

  • DNS-based communication blends into legitimate network traffic, making it difficult for security teams to differentiate malicious activity from normal DNS queries.

• Advanced Persistent Threat (APT) Campaigns:

  • Nation-state or sophisticated threat actors leverage DNS-based C2 to maintain long-term, low-profile access, evading detection by conventional monitoring systems.

How this Technique is Usually Detected

Detection of DNS-based command and control involves monitoring network traffic, analyzing DNS requests, and identifying anomalies. Common detection methods and indicators include:

• DNS Traffic Volume and Frequency Analysis:

  • Unusually high volumes of DNS requests or frequent DNS queries to unusual domains may indicate DNS tunneling.

• Domain Name Length and Entropy Analysis:

  • High entropy or unusually long domain names may be indicative of encoded data or DGA-generated domains.

• Monitoring DNS TXT Records:

  • Frequent or unusual use of DNS TXT records can signal data exfiltration or command-and-control activity.

• Detection of Known DNS Tunneling Tools:

  • Signature-based detection of known DNS tunneling tools (e.g., DNSCat2, Iodine) or their characteristic traffic patterns.

• Machine Learning and Behavioral Analytics:

  • Advanced detection solutions leveraging machine learning can analyze DNS query patterns, detect anomalies, and flag suspicious DNS activity.

• Indicators of Compromise (IoCs):

  • Suspicious DNS queries to newly registered or rarely accessed domains.

  • High number of DNS NXDOMAIN (non-existent domain) responses.

  • Repeated queries with incremental or random subdomains.

Tools and solutions commonly used for detection include:

• Network Intrusion Detection Systems (NIDS): Snort, Suricata, Zeek.

• Security Information and Event Management (SIEM) solutions: Splunk, IBM QRadar, Elastic Security.

• DNS monitoring and analytics platforms: Cisco Umbrella, DNSTwist, PassiveDNS.

Why it is Important to Detect This Technique

Early detection of DNS-based command and control is critical due to the following impacts and risks:

• Data Exfiltration:

  • Attackers use DNS tunneling to bypass traditional data loss prevention (DLP) controls, extracting sensitive data undetected.

• Stealthy Persistence:

  • DNS-based C2 channels allow attackers to maintain long-term, covert persistence within compromised networks, increasing the risk of prolonged damage and lateral movement.

• Bypassing Security Controls:

  • DNS is generally allowed through firewalls and proxies, making it an ideal channel for attackers to evade conventional network security measures.

• Operational and Reputational Damage:

  • Undetected DNS-based attacks can result in significant financial losses, regulatory penalties, and damage to organizational reputation.

• Risk of Further Compromise:

  • Persistent DNS-based C2 channels facilitate lateral movement, privilege escalation, and deployment of additional malware payloads.

Therefore, timely detection and mitigation of DNS-based command and control significantly reduce overall risk exposure and minimize potential damage.

Examples

Real-world examples of DNS-based command and control attacks include:

• OilRig (APT34):

  • Iranian threat actor OilRig utilized DNS tunneling for C2 communications and data exfiltration in targeted espionage operations.

  • Tools used: DNSExfiltrator, custom-developed malware.

  • Impact: Persistent access, sensitive data theft, espionage.

• FIN7 Group Attacks:

  • Financially motivated threat actor FIN7 leveraged DNS tunneling techniques to exfiltrate payment card data from compromised point-of-sale (POS) systems.

  • Tools used: DNSMessenger, custom DNS tunneling scripts.

  • Impact: Theft of financial data, significant financial losses for victims.

• APT32 (OceanLotus):

  • Vietnamese threat actor APT32 employed DNS tunneling for stealthy communication with infected hosts in multiple cyber-espionage campaigns.

  • Tools used: Cobalt Strike DNS beacon, customized DNS tunneling malware.

  • Impact: Long-term espionage, theft of intellectual property and sensitive information.

• PoshC2 Framework:

  • Open-source post-exploitation framework offering DNS-based C2 capabilities.

  • Tools used: PoshC2, PowerShell scripts, DNS tunneling modules.

  • Impact: Enables attackers to maintain stealthy persistence and evade detection.

These examples demonstrate the versatility, effectiveness, and widespread adoption of DNS-based command and control techniques by both nation-state actors and financially motivated cybercriminal groups.