DNS Beacons - C2 Communication

Definition

Some kinds of malware send periodic DNS queries to command and control (C2) servers. These periodic communications are known as beacons. DNS beacons can be used to re-establish control over malware, as a form of keepalive for infected hosts, or a low-bandwidth form of C2 communication.

Advice

Because beaconing is infrequent, it can make it harder to detect.

Configure the environment to only use authorized DNS resolvers, and check for outbound DNS traffic. This may implicate DNS beacons being attempted. The query logs on the configured resolvers can also be used to detect known C2 domains.

Check for network traffic to known malicious DNS servers in environments where any outbound DNS queries are allowed.

Examine regular DNS queries for known patterns of DNS beacons.

Reverse engineer malware to discover beaconing domains.

C2 beaconing frequently combines techniques such as DNS fast-flux, DGA domains, and tunneling. See advice on those techniques for more information.

Examples

APT39, ITG07, Chafer, Remix Kitten, Group G0087 | MITRE ATT&CK®

Cobalt Strike explicitly details beacons as a product feature.

The ZLoader Malware released an update which added C2 communications over DNS.

SUNBURST used DNS for C2 communications.

Potential Resources

DNS query logs on authorized resolvers can be used for the purposes detailed above. Protective DNS in particular can be used to find malicious domains being queried as C2 beacons.

CISA wrote a really good guide on implementing enterprise DNS in order to detect and block DNS beaconing and C2.

Netskope has a white paper on detecting C2 beaconing.

• DNS Abuse SIG
  • Stakeholder Advice
    • Detection
      • Cache Poisoning
      • Creation of Malicious Subdomains Under Dynamic DNS Providers
      • DGA Domains
      • DNS As a Vector for DoS
      • DNS Beacons - C2 Communication
      • DNS Rebinding
      • DNS Server Compromise
      • DNS Tunneling
      • DoS Against the DNS
      • Domain Name Compromise
      • Dynamic DNS (as obfuscation technique)
      • Fast Flux (as obfuscation technique)
      • Infiltration and exfiltration via the DNS
      • Lame Delegations
      • Local Resolver Hijacking
      • Malicious registration of (effective) second level domains
      • On-path DNS Attack
      • Stub Resolver Hijacking
  • Code of Conduct & Other Policies
  • Examples of DNS Abuse