ID | Name |
---|---|
T1071.001 | Web Protocols |
T1071.002 | File Transfer Protocols |
T1071.003 | Mail Protocols |
T1071.004 | DNS |
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.[1][2]
ID | Name | Description |
---|---|---|
S0504 | Anchor |
Variants of Anchor can use DNS tunneling to communicate with C2.[3][4] |
G0026 | APT18 | |
G0087 | APT39 |
APT39 has used remote access tools that leverage DNS in communications with C2.[6] |
G0096 | APT41 | |
S0360 | BONDUPDATER |
BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[9] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can use DNS over HTTPS for C2.[10][11] |
G0114 | Chimera |
Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.[12] |
G0080 | Cobalt Group |
Cobalt Group has used DNS tunneling for C2.[13][14][15] |
S0154 | Cobalt Strike |
Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.[16][17][18] |
S0338 | Cobian RAT |
Cobian RAT uses DNS for C2.[19] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors used DNS to tunnel IPv4 C2 traffic.[20] |
S1014 | DanBot |
DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.[21] |
S1111 | DarkGate |
DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [22] |
S0354 | Denis |
Denis has used DNS tunneling for C2 communications.[23][24][25] |
S1021 | DnsSystem |
DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.[26] |
S0377 | Ebury | |
G0046 | FIN7 |
FIN7 has performed C2 using DNS via A, OPT, and TXT records.[28] |
S0666 | Gelsemium |
Gelsemium has the ability to use DNS in communication with C2.[29] |
S0477 | Goopy |
Goopy has the ability to communicate with its C2 over DNS.[25] |
S0690 | Green Lambert |
Green Lambert can use DNS for C2 communications.[30][31] |
S0170 | Helminth | |
S1027 | Heyoka Backdoor |
Heyoka Backdoor can use DNS tunneling for C2 communications.[33] |
S0070 | HTTPBrowser |
HTTPBrowser has used DNS for command and control.[34][35] |
S0260 | InvisiMole |
InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.[36] |
G0004 | Ke3chang | |
S1020 | Kevin |
Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.[38] |
G0140 | LazyScripter |
LazyScripter has leveraged dynamic DNS providers for C2 communications.[39] |
S0167 | Matryoshka |
Matryoshka uses DNS for C2.[40][41] |
S1015 | Milan |
Milan has the ability to use DNS for C2 communications.[42][38][43] |
S1047 | Mori | |
S0699 | Mythic | |
S0228 | NanHaiShu | |
S1090 | NightClub |
NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.[48] |
G0049 | OilRig |
OilRig has used DNS for C2 including the publicly available |
S0124 | Pisloader | |
S0013 | PlugX |
PlugX can be configured to use DNS for command and control.[34] |
S0145 | POWERSOURCE |
POWERSOURCE uses DNS TXT records for C2.[54][55] |
S0184 | POWRUNER | |
S0269 | QUADAGENT | |
S0495 | RDAT | |
S0125 | Remsec | |
S0596 | ShadowPad | |
S1019 | Shark | |
S0633 | Sliver | |
S0615 | SombRAT |
SombRAT can communicate over DNS with the C2 server.[66][67] |
S0157 | SOUNDBITE | |
S0559 | SUNBURST |
SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[69] |
S0663 | SysUpdate |
SysUpdate has used DNS TXT requests as for its C2 communication.[70] |
S0146 | TEXTMATE | |
G0081 | Tropic Trooper |
Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.[71] |
S0022 | Uroburos |
Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.[72] |
S0514 | WellMess |
WellMess has the ability to use DNS tunneling for C2 communications.[73][74] |
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic |
Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
Network Traffic Flow |
Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |