Threat Hunting – C2 over DNS – Video Blog
Video – Threat Hunting – C2 over DNS
Hey folks, I’m Chris Brenton and in today’s threat hunting shorts we’re going to talk about command and control over DNS. I want to start with a network drawing because this one can be a little bit harder to understand simply because the command and control traffic, the C2 traffic, isn’t leaving the compromise system and going directly out to the internet. It’s actually typically bouncing off of another system. So we need to be able to kind of understand what’s going on in order to really get a handle on this. So imagine I’m an attacker, I’m going to compromise this system and I want to set up a commander control channel so that this thing can call home and get its marching orders for the video shorts we’ve done so far. The compromise system is always called out directly. This one’s a little different, it’s going to bounce off of another system. So how does this happen?
The first thing my attacker does is they go out and register some domain. We’re using the example here of evil.com. You can’t use evil.com that’s already taken. So they’ll use some other name. I’m just simply using evil.com here as an example, but they’ll go in, they’ll go out. They’ll register that domain. And when they register that domain, one of the questions they’re going to get asked is where are your authoritative name servers? In other words, if somebody wants to look up a resource within that domain, what IP addresses do they have to connect to? And what the attacker will do is they’ll register the IP addresses of their command and control service. Now, what they do is they program this system such that anytime it needs to check in to see if there’s any marching orders, it does a DNS query for a resource record within that evil.com domain that query gets sent to the local forwarder.
That forwarder is what actually talks to that command and control server directly. So again, there’s no new traffic leaving my system, going into the internet. So if I think it might be compromised and I set up some monitoring to see if there’s additional traffic going into the internet, I’m not going to see anything. I’ll see additional DNS queries going to wherever my DNS server is, but I might miss that because that system normally talks to the DNS server. So again, this one can be kind of stealthy. So this query goes up and this query is just an encoded message that says, Hey, I’m here. I’m compromised. Do you have anything for me to do? The answer that comes back to that query is what’s going to tell this system whether it needs to execute some command, or if it’s just going to sit there and wait for a while before it checks in again.
Now here’s the problem with C2 over DNS. And this is what gives us the ability to be able to distinguish it from normal DNS traffic. One of the side effects of this is I is the attacker can run into problems with DNS caching, which DNS catching DNS catching is simply, Hey, DNS server, you just looked up a record cache that for some period of time, you know, cache it for 10 minutes. In other words, don’t just keep doing the look up all the time. When you get an answer, wait, you know, hand that out to people for 10 minutes before you try and see if
There’s a, a new answer to that question. And that helps to minimize the amount of traffic going out over the internet length. This is a common technique that attackers use. So my excuse me, that administrators use to try and reduce the amount of bandwidth being used through their internet link. My attacker might try and set a TTL of zero, but whatever the administrator sets on those DNS servers, that’s going to override that. So even if the attacker says, don’t catch this information, the DNS says, server says, no problem. I’ll catch it for 10 minutes. so here’s what happens. Let’s say this compromise system tries to check in a minute later by sending the same query. Well, that information still cache by the DNS server. So the DNS server is just going to hand back the same answer it did before. So this thing will repeat the same command, even though the attacker might have had something else in the queue for it to do.
So. How does an attacker get around DNS caching? Well, the only way to do that is to do a unique query. Every single time. That way you don’t have to worry about things getting stuck in cache. Well, this opens up a point of visibility for us because it means that you’re going to see a lot of resources being queried within a remote domain. What do we mean by a lot of resources? Well, think about how many hosts does it make sense for a, your typical domain to expose to the internet? It’s not many, right. We might have www, you know, we’ll have a web server. We might have a customer portal. We’ve got a mail server, maybe a download server, DNS server. Oh, look, we’re still counting the fingers on one hand. In other words, there’s not many we could easily say, yeah, for most domains, 10 or less is going to be what’s common.
If we start seeing more than that, that may be worth paying attention to, but 10 or less for a domain, I don’t recognize. Makes perfect sense. Now what about for some of the big service providers like Akamai, like Google, like Amazon, AWS, well, you might actually see a couple hundred, but those are resources you recognize. Right? When I said, you know, Google, you didn’t ask yourself, Google who’s that everybody knows who Google is. Everybody knows who Amazon AWS is. So if I see a resource record or a lot of resource records being queried within a domain, I very clearly recognize like Akamai the biggest content delivery network in the world. Everybody knows who they are. So if I see something like that, and it’s a couple hundred resource records, not a big deal, but if I don’t recognize it, yeah. Okay. Now that’s something I need to go in and pay attention to.
So let’s go jump in and see what the data might look like for this. I could do this with Rita or AC hunter. I’m going to go through and do this with Rita our open source tool. So here’s the query I’m going to go in and do with Rita. So I’m going to say Rita, show me DNS information while this particular data set, and then I’m just going to pump it through head, which is just going to show me the first 10 lines worth of output. And that’s it. Okay. I’ve got my titles up at the top. And then my first line of data is this domain right here. R dash one x.com. Okay. I don’t recognize them. They’re
Not, not Google, they’re not Amazon. And yet we looked up 62,468 unique resource records within that domain. Okay. We said for a domain, we don’t recognize it should be, you know, like 10 or less, 62,000 much bigger than 10, right? That’s something worth going in and paying attention to what’s this next number. This next number is just how many unique queries did we send to that domain? That number, honestly from a C2 perspective is far less important. It’s the number unique resource records we’re interested in. If we look at our second line, this is actually a sub domain of that first domain. And we looked up 62,466 unique resource records. And then if I look at my third entry, okay, here’s Akamai, here’s one we actually recognize. Right. And then for Akamai biggest CDN network in the world, we only looked up 154 resource records.
Okay. That makes sense. You know, we did 27,000 queries, but it was only 154 unique resources that we were actually trying to access. Okay. That makes perfect sense. So what’s going on here? Well, clearly we’ve got something odd going on with this domain here. So what do we do next? Well, next step for me would be, let’s go in and take a look at some of those resource records. So I’m going to go through, I’m going to clear my screen and I’m going to do pretty much the same query I did before. Except now I just want to go in and look at those resource records for this specific domain. I could pump this through last so I can go through all of them, but quite honestly, I’m just going to go through and say, Hey, show me whatever will fit on the screen. So we’re looking at the last couple of matches, you know, on the screen here, because this is more than enough for me to figure out, oh no, wait, something’s going on?
How do we normally name systems? We normally give them a descriptive name. That means something to people, right? Like www like mail, like portal, like download, you know, look at this system name. This system is named 3, 3, 5 F 3, 2 5 F 3, 3, 2 E blah, blah. No, no, something’s wrong. Right? Something’s wrong. This fully qualified domain name tells me yes, something weird is going on here. If I look at the one above that, you know, it’s a bunch of 2, 0, 2, 0, 2 zeros, you know this, some encoded, you know, something’s encoded here or something, something weird is going on. So this domain is definitely a problem. These queries definitely don’t make sense. What’s my next step. My next step is to figure out which system is sending these queries. Let’s go back to our drawing again for a second, because where we just saw this data is, is going to help identify what we need to do next, to, to identify our target. In other words, let’s say all that data we were just looking at was collected here, right? By the firewall. We got a sniffer running on the internally and the face of
The, the firewall. And we’re seeing all of these successive queries taking place. Well, that would mean that the source IP address is a DNS forwarder. That’s probably not the system compromised. That’s not the one I need to go into incident response on. It’s probably someone who’s using that forwarder to send out its traffic. So now I need to go to my forwarder and either turn on logging or set up a sniffer or do something to see which internal system is sending you, that traffic and whoever that is, that’s going to be my compromise system. Now, if I collected this data right here off the internal interface, my DNS server. Yeah. Okay. Obviously now the source IP address is going to be that system, but I may have to do a little bit of legwork to run it all the way back to figure out which system has actually been compromised.
If you find this information useful, you want to learn more, we actually offer a free threat hunter training class, that runs for six hours over one day. Like I said, it’s free of charge. It’s about half lecture, half hands on time. The next class is going to be October 4th, the link of the bottom of the slide allows you to go in and get signed up. We go through this and a lot more other threat hunting skills if you find that useful. So, with that said, hopefully you had fun with this one and I will see when the next video.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.