DNS Deep Dive: How Attackers Use DNS to Find C2 Servers, Control Compromised Systems, and Exfiltrate Your Data

Webinar Registration

DNS is woven into the fabric of both the Internet and corporate intranets. It works so well that we forget it even exists, until it doesn’t work or is used against us.

The bad guys haven’t forgotten or ignored DNS, and it’s become an increasingly abused protocol. In fact, they are using, leveraging and exploiting DNS more and more to hide their communication right under our nose. In this real training for free event we will use network forensics tools and full packet captures to analyze and compare legitimate, innocent DNS traffic with suspicious DNS packets – all to show you how to recognize malicious DNS when you see it.

First though, I’ll give you a brief but technical introduction to DNS itself. You’ll learn how it’s normally a simply session-less question and answer protocol. I’ll also explain how DNS supports more than just the standard “What is the IP address for this domain name?” question (for example, via TXT queries). And we’ll actually dive deep into samples of this legitimate DNS traffic so you see what it actually looks like on the wire.

Then we’ll transition to the malicious use of DNS and show you more samples of:

Domain-generation-algorithm (DGA) queries
Command and control (C2) data tunneled through DNS
Data exfiltration via tunneled DNS

Attackers often obfuscate date before sending it in DNS packets so we’ll decode some samples of that as well.

Finally, we’ll talk about detection and explain the value to these correlation points

Inferring sessions on a session-less protocol
Packet quantity
Total bytes
Comparing domain names to lists like Alexa’s Top 500 sites
Least queried domain names

LogRhythm is our sponsor and Rob McGovern (Senior Technical Product Manager, Network Monitoring) and Erika Noerenberg (Senior Malware Analyst) are joining me, and we’ll use their Network Monitor Freemium tool to show you these DNS samples and demonstrate how to analyze DNS traffic for malicious activity. Ahead of our training feel free to download their NetMon Freemium so you can mirror our searches and DNS discovery.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
State:	Required
Zip/Postal Code:	Required
Job Title:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.