DNS tunelling/exfiltration POC

criblio / appscope

Gain observability into any Linux command or application with no code modification

https://appscope.dev

Apache License 2.0

268 stars 33 forks source link

DNS tunelling/exfiltration POC #1591

Closed michalbiesek closed 1 year ago

michalbiesek commented 1 year ago

The base idea is as in the picture below:

slack

The working branch for POC is: https://github.com/criblio/appscope/tree/feat-dns-poc

michalbiesek commented 1 year ago

The current plan:

get a working DNS tunelling scenario: currently I am testing (https://github.com/tbenbrahim/dns-tunneling-poc)
Focus on implement detection methods on scope listener as described for example here
- detect malicous characters
- detect mailicious size
- detect DNS type ? TXT
- check traffic occurence
- Pass the whole payload via DNS event TODO: Get a test domain to provide more reliable example.

michalbiesek commented 1 year ago

The initial changes supports detecting mailicious size of DNS domain and I am able to send notificatio to slack channel TODO: Consider extending dns request and response with dns type information.

michalbiesek commented 1 year ago

The blog post proposal about it is presented in #1606