ExtraHop Alert Details
Alert ID: EXTRAHOP-DNS-C2-1071-7842 Alert Time: 2024-03-12 16:30:45 EST Severity: HIGH (88/100) Source: ExtraHop Reveal(x) Rule: “DNS Tunneling Detected – Potential C2 or Exfiltration” MITRE ATT&CK: T1071.004 – Application Layer Protocol: DNS
Alert Details:
Detection: High volume of DNS queries with encoded subdomains – DNS tunneling
Source: 192.168.45.78 (ENG-WS-045 – Engineering) DNS Server: 8.8.8.8 (Google DNS) Time: 16:15-16:30 EST
DNS Query Pattern:
16:15:10 – TXT query for a1b2c3d4e5f6.evil.com (response: 247 bytes)
16:15:15 – TXT query for g7h8i9j0k1l2.evil.com (response: 251 bytes)
16:15:20 – TXT query for m3n4o5p6q7r8.evil.com (response: 242 bytes)
… (continuing every 5-10 seconds)
Query Analysis:
Domain: *.evil.com (registered 2024-03-10)
Query Type: TXT (returns text data)
Subdomain lengths: 12-16 characters (random)
Response sizes: 200-300 bytes each
Total queries: 847 in 15 minutes
Total data transferred: ~210 KB (exfiltrated or C2)
Decoded Data Sample (base64 in subdomains):
Subdomain: a1b2c3d4e5f6
Decoded: “UEsDBBQAAAAIAICIF1Yj…” (ZIP header)
Detection Logic:
847 DNS queries in 15 minutes (highly anomalous)
TXT queries with random subdomains (DNS tunneling pattern)
Destination domain suspicious (newly registered)
Response sizes consistent with encoded data
Pattern matches DNS tunneling (C2 or exfiltration)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed DNS tunneling activity
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
dnscat2.exe (DNS tunneling tool) running
3. Data Analysis
Decode DNS queries
Base64 decoder
Exfiltrated data: ZIP files with documents
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. DNS Blocking
Block evil.com domain
Cisco Umbrella, Palo Alto
Domain blocked
6. Malware Removal
Clean infected host
CrowdStrike Live Response
dnscat2.exe removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-209 Summary: T1071.004 – DNS Tunneling C2/Exfiltration via dnscat2 Status: RESOLVED Resolution: MALICIOUS – C2 Disrupted, Data Exfiltrated (210 KB) Priority: P2 – MEDIUM Labels: T1071, dns-tunneling, c2, exfiltration, extrahop, dnscat2 Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “DNS Tunneling Detected – Potential C2 or Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Method: DNS tunneling via TXT queries to evil.com.
Data: ~210 KB exfiltrated or C2 traffic.
Time: 2024-03-12 16:30 EST.
Technique: MITRE ATT&CK T1071.004 – Application Layer Protocol: DNS.
2. Technical Analysis:
Attack Chain:
15:30 – rpatel account compromised via phishing
15:45 – Attacker logs into ENG-WS-045
15:50 – Attacker downloads dnscat2.exe (DNS tunneling tool)
15:55 – Attacker collects sensitive files (ZIP archives)
16:00-16:30 – Exfiltration via DNS tunneling
16:30 – ExtraHop detects
DNS Tunneling Tool:
Name: dnscat2.exe
SHA256: a1b2c3d4…
Mechanism: Encodes data in DNS queries (subdomains)
Protocol: DNS over UDP port 53
Server: evil.com (attacker-controlled DNS server)
Exfiltrated Data (210 KB):
Financial reports (2 files) – 95 KB
Customer list (1 file) – 58 KB
Source code snippets (3 files) – 57 KB
Total: 6 files, 210 KB
DNS Query Analysis:
Total Queries: 847 in 15 minutes
Data per Query: ~250 bytes
Total Data: ~210 KB
Domain: evil.com (now blocked)
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
15:50 – dnscat2.exe downloaded
15:55 – Data collection
16:00-16:30 – Exfiltration
16:30 – ExtraHop alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – Domain blocked
Indicators of Compromise (IoCs):
Network:
– Domain: evil.com (blocked)
– DNS pattern: 847 TXT queries in 15 minutes
File:
– C:\Windows\Temp\dnscat2.exe (SHA256: a1b2c3d4…)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Blocked evil.com domain at firewall and DNS.
Terminated dnscat2.exe process.
Deleted dnscat2.exe.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (210 KB, 6 files).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DNS allowed to external resolvers (8.8.8.8).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 210 KB of sensitive data exfiltrated (financial, customer, source code).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted DNS to corporate resolvers only.
Enhanced monitoring for DNS tunneling.
8. Conclusion:
An attacker used DNS tunneling to exfiltrate 210 KB of sensitive data, evading detection by using a non-standard protocol. ExtraHop detected the anomalous DNS query pattern and enabled rapid containment, though exfiltration had already occurred.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 17:30 EST