Giulio ginesi

Riccardo Ancarani
9 Apr 2021

Detecting Exposed Cobalt Strike DNS Redirectors

A technique was developed to detect exposed Cobalt Strike DNS redirectors by identifying DNS servers that consistently return the same IP address for all domain queries. The method involves scanning DNS servers and analyzing their response patterns to identify potential Cobalt Strike infrastructure. An internet-wide survey was conducted to validate the detection approach, revealing multiple potential Cobalt Strike DNS servers.