Covert Channels – Detecting DNS Tunnelling via Cobalt Strike

Domain Name System (DNS) is a fundamental protocol and naming system that enables computers, services or other applications connected to the internet or a private network that make use of domain names to work. It translates more readily memorised domain names into numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocol. DNS is not primarily intended to be used for command and control or tunnelling, however, utilities have been developed to enable tunnelling via DNS. As its primary use is not for general data transfer, DNS often has less attention in terms of security monitoring. With DNS tunnelling often going undetected, it represents a significant risk to an organisation. This article focuses on a recent threat discovered by Cyberseer that involved the use of the security assessment tool Cobalt Strike.

What is Cobalt Strike?

Cobalt Strike is a threat emulation software that allows the user to execute targeted attacks against a target. One of Cobalt Strike’s features is 'Beacon'. 'Beacon' is Cobalt Strike’s payload for red team operations. It executes commands, logs keystrokes, uploads files, downloads files, and can spawn other payloads when needed. In 2013, a feature was added to Cobalt Strike that allowed for DNS to be used as a data channel.

[https://blog.cobaltstrike.com/2013/06/06/dns-command-and-control-added-to-cobalt-strike/]

Detection of DNS Tunnelling

Cyberseer deploys advanced threat detection solutions as part of its managed security services, across a range of businesses and industries. By leveraging Darktrace’s Enterprise Immune System, a machine learning and mathematics-driven cyber defence immune system, Cyberseer Analysts were able to rapidly detect and alert the customer to the breach, and prevent further infection and network disruption. The following section will look at how unsupervised machine learning detected DNS tunnelling in action:

1 - Connection to a rare domain

An analyst noticed an HTTP connection to a domain that when compared to the device's usual pattern of life, was seen as unusual. Before this connection, this domain had never previously been seen within the customer environment:

Fri Oct 20 17, 10:14:50 10.10.10.1 connected to external-site.com [80]

2 - Download of payload

Once connected to the rare domain, the device was observed downloading a suspicious file:

10/20 10:14:53 files_identified      10.10.10.1 8694    192.43.85.132    80    -    - HTTP    cb3ac7e8a5c74c0c638c012d02cb04c238c70bff    271    https://2445.cdn.external-site.com/xc [80]    a64ab6422184d5bb6324b6d0a355abaa    application/x-gzip   

3 - Increase in external connections

Shortly after the download, the device was observed making a large number of outbound connections, which again when compared with the device's history was seen as unusual. In this event, the external connections were DNS queries that included randomly generated, 3-letter subdomains:

Fri Oct 20, 10:15:03 machineone1.fictionalcompany.ad.com made an unsuccessful DNS request for aab.stage.2991049.cdn.external-site.com to dns1.fictionalcompany.com [53]

Fri Oct 20, 10:15:03 machineone1.fictionalcompany.ad.com made an unsuccessful DNS request for cca.stage.2991049.cdn.external-site.com to dns1.fictionalcompany.com [53]

Fri Oct 20, 10:15:03 machineone1.fictionalcompany.ad.com made an unsuccessful DNS request for abc.stage.2991049.cdn.external-site.com to dns1.fictionalcompany.com [53]

Fri Oct 20, 10:15:03 machineone1.fictionalcompany.ad.com made an unsuccessful DNS request for xec.stage.2991049.cdn.external-site.com to dns1.fictionalcompany.com [53]

The graph below gives a visual representation of the large volume of DNS queries seen within a short period.

4 - Beacon Models

At the same time, Darktrace noticed an increase in connections an alert was generated signifying that the anomaly required further investigation. In this case, the following models were generated:

Solution

This scenario highlights how traditional signature-based approaches are not enough to adequately defend a network against constantly evolving threats.  The Darktrace technology does not require any prior knowledge of threats or need to update signature definitions. As shown above, a machine-learnt behavioural approach to security can detect threats ahead of other traditional solutions, allowing a faster response to potential breaches. Security technologies that require signatures and blacklists to be updated will always be one step behind the attackers and never be able to detect new unknown threats in real time. Cyberseer’s threat detection and analysis service bridges the gaps in an organisation's cyber defence system. Having the ability to detect and understand the severity of internal and external threats provides effective threat mitigation. Understanding your organisation's threat score and dealing with live issues early, decreases incident response times and significantly reduces the risk of cyber damage.