BHIS | How DNS can be abused for Command & Control | Troy Wojewoda | 1 Hour
HTML-код
- Опубликовано: 7 сен 2024
- Join us in the Black Hills InfoSec Discord server here: / discord to keep the security conversation going!
In this Black Hills Information Security (BHIS) webcast, Troy Wojewoda will go over some of the popular and maybe not-so-popular techniques where the DNS protocol has been abused by threat actors. He'll also cover approaches to detecting DNS abuse in the environment.
Think you already have detections in place? It may surprise you that some of the most popular tools used by security practitioners fail to detect various levels of DNS abuse.
Troy is teaching a live, online, paid, 16-hour training course on -- Network Forensics and Incident Response w/ Troy Wojewoda.
Learn more here: www.antisyphon...
Black Hills Infosec Socials
Twitter: / bhinfosecurity
Mastodon: infosec.exchan...
LinkedIn: / antisyphon-training
Discord: / discord
Black Hills Infosec Shirts & Hoodies
spearphish-gen...
Black Hills Infosec Services
Active SOC: www.blackhills...
Penetration Testing: www.blackhills...
Incident Response: www.blackhills...
Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: www.backdoorsa...
Play B&B Online: play.backdoors...
Antisyphon Training
Pay What You Can: www.antisyphon...
Live Training: www.antisyphon...
On Demand Training: www.antisyphon...
Educational Infosec Content
Black Hills Infosec Blogs: www.blackhills...
Wild West Hackin' Fest RUclips: / wildwesthackinfest
Active Countermeasures RUclips: / activecountermeasures
Antisyphon Training RUclips: / antisyphontraining
Disclaimer: I'm not a windows admin so this explanation may be wrong.
The sysmon/nslookup-fail is likely to result from the location in the OS where sysmon hooks itself and how nslookup doesn't use this mechanism.
Sysmon is likely to hook the "gethostbyname" syscall, which takes a hostname and returns an IP address. It's setup to use your system's DNS configuration and not care about nameservers at all. In fact, gehostbyname returns names from a multitude of sources - DNS, hosts file, (probably) mdns and likely others (on linux theres a file calle nsswitch.conf where the name sources are setup).
Nslookup uses DNS specifically. It doesn't care about your local names, it only does DNS - and it does it by itself. Nslookup crafts DNS-query-packets by itself and sends them to the resolver of your choice - by default your local one. That means that gethostbyname is not triggered by nslookup, thus sysmon doesn't catch the request.
To be able to catch the request, sysmon would need to monitor your outbound network traffic.
Thanks BHIS...Not sure but I found the explanation a bit too fast