Showing Posts About
DNS
-
Riccardo Ancarani - 9 Apr 2021
Detecting Exposed Cobalt Strike DNS Redirectors
A technique was developed to detect exposed Cobalt Strike DNS redirectors by identifying DNS servers that consistently return the same IP address for all domain queries. The method involves scanning DNS servers and analyzing their response patterns to identify potential Cobalt Strike infrastructure. An internet-wide survey was conducted to validate the detection approach, revealing multiple potential Cobalt Strike DNS servers.
-
Alfie Champion Jordan LaRose - 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #2
This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.
- 23 Aug 2018
DNS Rebinding Headless Browsers
A DNS rebinding attack technique targeting headless browsers running on AWS was demonstrated. The attack can exploit the AWS metadata endpoint by manipulating DNS and causing browsers to hang, potentially allowing exfiltration of sensitive AWS credentials. The method bypasses same-origin policy restrictions by dynamically changing domain IP addresses during browser interactions.