Application Layer Protocol: DNS

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.[1][2]

ID: T1071.004
Sub-technique of:  T1071
Platforms: Linux, Network, Windows, macOS
Contributors: Chris Heald; Jan Petrov, Citi
Version: 1.2
Created: 15 March 2020
Last Modified: 26 December 2023

Procedure Examples

ID Name Description
S0504 Anchor

Variants of Anchor can use DNS tunneling to communicate with C2.[3][4]

G0026 APT18

APT18 uses DNS for C2 communications.[5]

G0087 APT39

APT39 has used remote access tools that leverage DNS in communications with C2.[6]

G0096 APT41

APT41 used DNS for C2 communications.[7][8]

S0360 BONDUPDATER

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[9]

S1063 Brute Ratel C4

Brute Ratel C4 can use DNS over HTTPS for C2.[10][11]

G0114 Chimera

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.[12]

G0080 Cobalt Group

Cobalt Group has used DNS tunneling for C2.[13][14][15]

S0154 Cobalt Strike

Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.[16][17][18]

S0338 Cobian RAT

Cobian RAT uses DNS for C2.[19]

C0029 Cutting Edge

During Cutting Edge, threat actors used DNS to tunnel IPv4 C2 traffic.[20]

S1014 DanBot

DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.[21]

S1111 DarkGate

DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [22]

S0354 Denis

Denis has used DNS tunneling for C2 communications.[23][24][25]

S1021 DnsSystem

DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.[26]

S0377 Ebury

Ebury has used DNS requests over UDP port 53 for C2.[27]

G0046 FIN7

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[28]

S0666 Gelsemium

Gelsemium has the ability to use DNS in communication with C2.[29]

S0477 Goopy

Goopy has the ability to communicate with its C2 over DNS.[25]

S0690 Green Lambert

Green Lambert can use DNS for C2 communications.[30][31]

S0170 Helminth

Helminth can use DNS for C2.[32]

S1027 Heyoka Backdoor

Heyoka Backdoor can use DNS tunneling for C2 communications.[33]

S0070 HTTPBrowser

HTTPBrowser has used DNS for command and control.[34][35]

S0260 InvisiMole

InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.[36]

G0004 Ke3chang

Ke3chang malware RoyalDNS has used DNS for C2.[37]

S1020 Kevin

Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.[38]

G0140 LazyScripter

LazyScripter has leveraged dynamic DNS providers for C2 communications.[39]

S0167 Matryoshka

Matryoshka uses DNS for C2.[40][41]

S1015 Milan

Milan has the ability to use DNS for C2 communications.[42][38][43]

S1047 Mori

Mori can use DNS tunneling to communicate with C2.[44][45]

S0699 Mythic

Mythic supports DNS-based C2 profiles.[46]

S0228 NanHaiShu

NanHaiShu uses DNS for the C2 communications.[47]

S1090 NightClub

NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.[48]

G0049 OilRig

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.[49][50][51][52]

S0124 Pisloader

Pisloader uses DNS as its C2 protocol.[53]

S0013 PlugX

PlugX can be configured to use DNS for command and control.[34]

S0145 POWERSOURCE

POWERSOURCE uses DNS TXT records for C2.[54][55]

S0184 POWRUNER

POWRUNER can use DNS for C2 communications.[56][50]

S0269 QUADAGENT

QUADAGENT uses DNS for C2 communications.[57]

S0495 RDAT

RDAT has used DNS to communicate with the C2.[58]

S0125 Remsec

Remsec is capable of using DNS for C2.[59][60][61]

S0596 ShadowPad

ShadowPad has used DNS tunneling for C2 communications.[62]

S1019 Shark

Shark can use DNS in C2 communications.[42][43]

S0633 Sliver

Sliver can support C2 communications over DNS.[63][64][65]

S0615 SombRAT

SombRAT can communicate over DNS with the C2 server.[66][67]

S0157 SOUNDBITE

SOUNDBITE communicates via DNS for C2.[68]

S0559 SUNBURST

SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[69]

S0663 SysUpdate

SysUpdate has used DNS TXT requests as for its C2 communication.[70]

S0146 TEXTMATE

TEXTMATE uses DNS TXT records for C2.[54]

G0081 Tropic Trooper

Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.[71]

S0022 Uroburos

Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.[72]

S0514 WellMess

WellMess has the ability to use DNS tunneling for C2 communications.[73][74]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets.

M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.
  2. Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.
  3. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  4. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  5. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  6. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  7. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  8. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  9. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  10. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  11. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  12. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  13. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  14. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  15. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  16. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  17. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  18. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  19. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  20. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  21. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  22. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  23. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  24. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  25. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  26. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  27. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  28. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  29. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  30. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  31. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  32. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  33. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  34. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  35. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  36. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  37. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  1. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  2. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  3. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  4. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  5. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  6. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  7. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  8. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  9. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  10. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  11. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  12. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  13. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  14. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  15. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  16. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  17. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  18. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  19. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  20. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  21. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  22. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  23. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  24. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  25. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  26. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  27. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  28. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  29. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  30. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  31. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  32. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  33. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  34. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  35. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  36. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  37. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.