Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника DNS
EN
Риски
Каталоги
MITRE ATT&CK
Техника
DNS
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Application Layer Protocol:  DNS

ID Название
.001 Веб-протоколы
.002 Протоколы передачи файлов
.003 Протоколы эл. почты
.004 DNS
.005 Publish/Subscribe Protocols

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

ID: T1071.004
Относится к технике:  T1071
Тактика(-и): Command and Control
Платформы: ESXi, Linux, Network Devices, Windows, macOS
Источники данных: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 1.3
Дата создания: 15 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
POWRUNER

POWRUNER can use DNS for C2 communications.(Citation: FireEye APT34 Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)
Sliver

Sliver can support C2 communications over DNS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2 DNS)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022)
POWERSOURCE

POWERSOURCE uses DNS TXT records for C2.(Citation: FireEye FIN7 March 2017)(Citation: Cisco DNSMessenger March 2017)
Matryoshka

Matryoshka uses DNS for C2.(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)
WellMess

WellMess has the ability to use DNS tunneling for C2 communications.(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)
SombRAT

SombRAT can communicate over DNS with the C2 server.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)
InvisiMole

InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.(Citation: ESET InvisiMole June 2020)
RDAT

RDAT has used DNS to communicate with the C2.(Citation: Unit42 RDAT July 2020)

TEXTMATE

TEXTMATE uses DNS TXT records for C2.(Citation: FireEye FIN7 March 2017)
Green Lambert

Green Lambert can use DNS for C2 communications.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)
Anchor

Variants of Anchor can use DNS tunneling to communicate with C2.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)
PlugX

PlugX can be configured to use DNS for command and control.(Citation: Dell TG-3390)
Remsec

Remsec is capable of using DNS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)
DarkGate

DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. (Citation: Ensilo Darkgate 2018)
NanHaiShu

NanHaiShu uses DNS for the C2 communications.(Citation: fsecure NanHaiShu July 2016)
Brute Ratel C4

Brute Ratel C4 can use DNS over HTTPS for C2.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Micro Black Basta October 2022)
Mori

Mori can use DNS tunneling to communicate with C2.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)
QUADAGENT

QUADAGENT uses DNS for C2 communications.(Citation: Unit 42 QUADAGENT July 2018)
Uroburos

Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
DnsSystem

DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.(Citation: Zscaler Lyceum DnsSystem June 2022)
NightClub

NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.(Citation: MoustachedBouncer ESET August 2023)
Shark

Shark can use DNS in C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
SOUNDBITE

SOUNDBITE communicates via DNS for C2.(Citation: FireEye APT32 May 2017)
Cobalt Strike

Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Cobalt Strike

Cobalt Strike uses a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)

SUNBURST

SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.(Citation: FireEye SUNBURST Backdoor December 2020)
Cobian RAT

Cobian RAT uses DNS for C2.(Citation: Zscaler Cobian Aug 2017)
Milan

Milan has the ability to use DNS for C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021)
DanBot

DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.(Citation: SecureWorks August 2019)
Pisloader

Pisloader uses DNS as its C2 protocol.(Citation: Palo Alto DNS Requests)
SysUpdate

SysUpdate has used DNS TXT requests as for its C2 communication.(Citation: Lunghi Iron Tiger Linux)
Mythic

Mythic supports DNS-based C2 profiles.(Citation: Mythc Documentation)

BONDUPDATER

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.(Citation: Palo Alto OilRig Sep 2018)
Ebury

Ebury has used DNS requests over UDP port 53 for C2.(Citation: ESET Ebury Feb 2014)

Heyoka Backdoor

Heyoka Backdoor can use DNS tunneling for C2 communications.(Citation: SentinelOne Aoqin Dragon June 2022)
HTTPBrowser

HTTPBrowser has used DNS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis)
Kevin

Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.(Citation: Kaspersky Lyceum October 2021)
Goopy

Goopy has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017)

ShadowPad

ShadowPad has used DNS tunneling for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017)
Gelsemium

Gelsemium has the ability to use DNS in communication with C2.(Citation: ESET Gelsemium June 2021)
Helminth

Helminth can use DNS for C2.(Citation: Palo Alto OilRig May 2016)
Denis

Denis has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)
Tropic Trooper

Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Trooper May 2020)

APT39

APT39 has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)
OilRig

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)
Chimera

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)
FIN7

FIN7 has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018)
APT18

APT18 uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016)
Ke3chang

Ke3chang malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong)
Ember Bear

Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.(Citation: CISA GRU29155 2024)
Cobalt Group

Cobalt Group has used DNS tunneling for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)
APT41

APT41 used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

LazyScripter

LazyScripter has leveraged dynamic DNS providers for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021)

Контрмеры
Контрмера Описание
Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures: Ingress Traffic Filtering: - Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges. Egress Traffic Filtering: - Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected. Protocol-Based Filtering: - Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue. Network Segmentation: - Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems. Application Layer Filtering: - Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2) Monitor for DNS traffic to/from known-bad or suspicious domains.

Ссылки

  1. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  2. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  3. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  4. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  5. Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.
  6. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  7. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  8. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  9. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  10. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  11. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  12. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  13. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  14. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  15. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  16. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  17. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  18. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  19. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  20. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  21. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  22. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
  23. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  24. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  25. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  26. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  27. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  28. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  29. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  30. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  31. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  32. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  33. Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.
  34. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  35. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  36. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  37. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  38. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  39. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  40. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  41. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  42. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  43. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  44. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  45. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  46. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  47. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  48. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  49. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  50. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  51. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  52. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  53. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  54. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  55. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  56. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.
  57. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  58. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  59. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  60. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  61. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  62. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  63. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  64. Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025.
  65. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  66. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  67. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  68. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  69. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  70. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  71. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  72. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  73. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  74. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  75. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  76. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  77. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  78. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  79. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.