Threat Research

DNS Early Detection – Cobalt Strike DNS C2 & Exfiltration | Infoblox

Securonix

Infoblox demonstrates how detecting DNS exfiltration and DNS-based C2 communications can protect enterprises, using Suspicious Domain feeds and Threat Insight to block or interrupt attacks. The study compares two anonymized customers with different security policies, highlighting the value of combining Suspicious Domain data with Threat Insight for stronger DNS protection. #SideWinder #Rattlesnake #CobaltStrike #army-lk.org

Keypoints

  • Infoblox proves the value of DNS early detection by using Suspicious Domain feeds and Threat Insight to identify and block DNS exfiltration and C2 activities.
  • The SideWinder (aka Rattlesnake) threat group is inferred as behind the observed DNS-based activity and is discussed in relation to Cobalt Strike loaders.
  • The IoC army-lk[.]org is linked to the SideWinder activity, identified as suspicious shortly after registration.
  • Customer #1’s policy leverages Suspicious Domain feeds to block traffic and uses Threat Insight in near real time, stopping the army-lk[.]org domain immediately.
  • Customer #2 relies on Threat Insight without Suspicious Domain blocking, interrupting the same malicious domain after just 7 DNS queries.
  • Conclusion: deploying both Suspicious Domain feeds and Threat Insight within a Defense-in-Depth framework enhances DNS protection and can reduce risk.

MITRE Techniques

  • [T1071.004] DNS – The activity uses DNS as a channel for C2 and data exfiltration via Cobalt Strike beacons. Quote: β€˜Cobalt Strike beacons, which can be deployed as staged or stageless payloads can be configured. Cobalt Strike can deliver C2 commands and ready data for exfiltration if an unidentified malicious domain is involved in communications.’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs through the DNS-based C2 channel as beacons communicate with malicious domains. Quote: β€˜Cobalt Strike beacons, which can be deployed as staged or stageless payloads can be configured. Cobalt Strike can deliver C2 commands and ready data for exfiltration if an unidentified malicious domain is involved in communications.’

Indicators of Compromise

  • [Domain] context – army-lk[.]org, army-lk.org – Key IoCs associated with the SideWinder APT, identified as suspicious and linked to the activity described (domain created 4.13.2023 and flagged 4.16.2023).

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-cobalt-strike-dns-c2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint