T1071 - DNS Tunneling
Opened this issue · 0 comments
Description
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
Plan
Do research into http://asintsov.blogspot.com/2017/12/data-exfiltration-in-metasploit.html and identify what infrastructure changes we'll need to make to support this.
While we can do this with something like Cobalt Strike, I'd like to have it as a native capability