{"id":29554,"date":"2023-05-06T05:01:44","date_gmt":"2023-05-06T03:01:44","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29554"},"modified":"2023-05-12T06:34:43","modified_gmt":"2023-05-12T04:34:43","slug":"dnsteal-data-exfiltration-and-tunneling-via-dns-techniques-and-detection","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/05\/06\/dnsteal-data-exfiltration-and-tunneling-via-dns-techniques-and-detection\/","title":{"rendered":"DNSteal: Data Exfiltration and Tunneling via DNS &#8211; Techniques and Detection"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2023\/05\/06\/dnsteal-data-exfiltration-und-tunneling-ber-dns-techniken-und-erkennung\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A security topic that was not really on my radar: data theft through manipulation of the Domain Name System (DNS). The whole thing goes under the terms DNSteal and DNS Exfiltration. Roughly speaking, these are techniques that can be used to tunnel firewalls and exfiltrate (steal) data via redirected DSN servers.<\/p>\n<p><!--more--><\/p>\n<h2>Data Exfiltration through DNS Exfiltration<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg09.met.vgwort.de\/na\/7c4d0c69334549778f0a04b0f1ab84aa\" alt=\"\" width=\"1\" height=\"1\" \/>Especially for enterprises, there is a risk of data being siphoned off from the corporate network without being noticed. IT does try to block a data outflow through firewalls and other security measures. But hackers are looking for ways to abuse the DNS (Domain Name System) for their own purposes.<\/p>\n<h3>Advice from Akamai<\/h3>\n<p>Security vendor Akamai has am article\u00a0<a href=\"https:\/\/web.archive.org\/web\/20220628005925\/https:\/\/www.akamai.com\/blog\/security\/dns-the-easiest-way-to-exfiltrate-data\" target=\"_blank\" rel=\"noopener\">DNS: The Easiest Way to Exfiltrate Data?<\/a> on the topic, which describes the various ways attackers abuse DNS. These include DNS tunneling (high throughput) and DNS exfiltration (low throughput).<\/p>\n<p>Attackers take advantage of 'the fact that most companies do not interfere with DNS traffic due to its critical role, according to Akamai. Therefore, in the two variants mentioned above, the DNS protocol is used to exfiltrate data. In each case, the attackers add data to DNS requests that has nothing to do with the request.<\/p>\n<ul>\n<li>In high-throughput <strong>DNS tunneling<\/strong>, DNS queries run to one or more target domains, which then pull that data and forward the actual DNS queries to a DNS server. Akamai lists DNS tunneling to bypass a WLAN paywall as a harmless variant and communication with a command and control [C2] server as a more harmful variant. DNS tunneling, according to the security vendor, should be easy to detect and block due to the volume of data involved.<\/li>\n<li>Low-throughput <strong>DNS data exfiltration<\/strong> becomes more difficult to detect because there is no significant increase in throughput for DNS queries to individual domains. For example, a malware-infected endpoint may only be active every hour, sending a DNS query with a short message attached to its C2 server.<\/li>\n<\/ul>\n<p>The latter method is probably very popular among attackers for disguising communication with certain domains. Valuable data (e.g. credit card data) can often be smuggled out undetected in this way.<\/p>\n<h3>What is DNSteal?<\/h3>\n<p>The second term I came across in this context is DNSteal &#8211; a combination of DNS and steal. FortiGuard describes it in its <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/52155\" target=\"_blank\" rel=\"noopener\">IPS Threat Encyclopedia<\/a> as \"DNSteal is a tool that can tunnel data over DNS to bypass firewall policy.\" On GitHub <a href=\"https:\/\/github.com\/m57\/dnsteal\" target=\"_blank\" rel=\"noopener\">here<\/a>\u00a0is a tool called DNSteal 2.0, which acts as a fake DNS server designed to allow testers to secretly extract files from a victim computer via DNS queries.<\/p>\n<h2>An Article explaining it all<\/h2>\n<p>I had already written within my German blog several times about products from Helge Klein like his tool SetACL and Delproof2, or his Splunk plugin uberAgent (see my German article <a href=\"https:\/\/www.borncity.com\/blog\/2022\/08\/26\/gepinntit-sicherheit-uberagent-esa-die-perfekte-ergnzung-fr-edr-produkte\/\" target=\"_blank\" rel=\"noopener\">IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Erg\u00e4nzung f\u00fcr EDR-Produkte<\/a>). Helge Klein is a software developer, former MVP colleague and founder of the company vast limits GmbH. In August 2022 I had reviewed his product uberAgent Endpoint Security Analytics (ESA) and asked him if he has something new, that's interesting to let me know.<\/p>\n<p>Helge pointed me some time ago to his blog post D<a href=\"https:\/\/helgeklein.com\/blog\/dns-exfiltration-tunneling-how-it-works-dnsteal-demo-setup\/\" target=\"_blank\" rel=\"noopener\">DNS Exfiltration &amp; Tunneling: How it Works &amp; DNSteal Demo Setup<\/a> published in February 2023, which addresses the issues touched on above. In the article in question, he describes how DNS queries can be abused to pull data from an enterprise network using the techniques outlined above. The article also mentions the Python script DNSteal and describes a demo setup and data exfiltration with this tool.<\/p>\n<h2>Detect\/Prevent DNS Exfiltration<\/h2>\n<p>The question facing administrators in enterprises: \"How can I detect and prevent exfiltration of data from the corporate network via DNS requests?\" In August, in the German article <a href=\"https:\/\/www.borncity.com\/blog\/2022\/08\/26\/gepinntit-sicherheit-uberagent-esa-die-perfekte-ergnzung-fr-edr-produkte\/\" target=\"_blank\" rel=\"noopener\">IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Erg\u00e4nzung f\u00fcr EDR-Produkte<\/a>, I had introduced uberAgent, developed by Helge Klein. It is a solution that provides the IT department with the information it needs for monitoring as well as potential security incidents. The <em>uberAgent ESA<\/em> product featured in the article runs on macOS as well as Windows systems and has Splunk integration.<\/p>\n<p>From the article, I knew that Helge Klein was busy further developing his tool and addressing various security issues. On the above topic of DNS exfiltration, he has integrated DNS exfiltration &amp; tunneling detection in <em>uberAgent 7.1<\/em>. He describes the features in question in his blog post <a href=\"https:\/\/uberagent.com\/blog\/uberagent-7-1-preview-dns-exfiltration-tunneling-detection\/\" target=\"_blank\" rel=\"noopener\">uberAgent 7.1 Preview: DNS Exfiltration &amp; Tunneling Detection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=3rtPLO6-Ldw\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Detect DNS exfiltration with uberAgent ESA &amp; Splunk\" src=\"https:\/\/i.imgur.com\/uGYmTVo.png\" alt=\"Detect DNS exfiltration with uberAgent ESA &amp; Splunk\" \/><\/a><\/p>\n<p>The above <a href=\"https:\/\/www.youtube.com\/watch?v=3rtPLO6-Ldw\" target=\"_blank\" rel=\"noopener\">YouTube video<\/a> demonstrates the use of uberAgent 7.1 to detect DNS exfiltration by DNSteal. I introduced the uberAgent tool and its integration with Splunk in the blog post <a href=\"https:\/\/www.borncity.com\/blog\/2022\/08\/26\/gepinntit-sicherheit-uberagent-esa-die-perfekte-ergnzung-fr-edr-produkte\/\">T-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Erg\u00e4nzung f\u00fcr EDR-Produkte<\/a>. In this post you can also find a possibility to request evaluation and community licenses for testing.<\/p>\n<blockquote><p><strong>Note:<\/strong> The blog post <a href=\"https:\/\/www.borncity.com\/blog\/2022\/08\/26\/gepinntit-sicherheit-uberagent-esa-die-perfekte-ergnzung-fr-edr-produkte\/\" target=\"_blank\" rel=\"noopener\">IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Erg\u00e4nzung f\u00fcr EDR-Produkte<\/a> is a sponsored post marked accordingly. The above post, however, is not a sponsored post &#8211; I had asked Helge Klein to inform me about recent developments at uberAgent. Maybe the topic is of interest for one or the other blog reader.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>[German]A security topic that was not really on my radar: data theft through manipulation of the Domain Name System (DNS). The whole thing goes under the terms DNSteal and DNS Exfiltration. Roughly speaking, these are techniques that can be used &hellip; <a href=\"https:\/\/borncity.com\/win\/2023\/05\/06\/dnsteal-data-exfiltration-and-tunneling-via-dns-techniques-and-detection\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-29554","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=29554"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29554\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=29554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=29554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=29554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}