{
  "name": "Leveraging DNS Tunneling for Tracking and Scanning",
  "slug": "leveraging-dns-tunneling-for-tracking-and-scanning",
  "description": "This article presents a case study on new applications of domain name system (DNS) tunneling PaloAlto Unit42 have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.",
  "published": "2024-05-13T17:12:46+00:00",
  "created_at": "2024-05-13T17:12:46+00:00",
  "modified_at": "2024-05-13T17:28:27+00:00",
  "created_at_opencti": "2024-05-13T17:12:46+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-05-08",
    "2024-05-09",
    "2024-05-10",
    "2024-05-13",
    "alliance",
    "attack",
    "cobalt strike",
    "dns query",
    "dns traffic",
    "dns tunneling",
    "exploit",
    "oilrig",
    "trkcdn campaign",
    "trojan"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "y0vkmu2eh896he7.epyujbhfhbs35j.com"
      },
      {
        "id": "",
        "name": "vfct3phbmc8qsx2.uxjxfg2ui8k5zk.com"
      },
      {
        "id": "",
        "name": "trk.simitor.com"
      },
      {
        "id": "",
        "name": "run0ibnpq8r34dj.hjmpfsamfkj5m5.com"
      },
      {
        "id": "",
        "name": "q8udswcmvznk34q.8egub9e7s6cz7n.com"
      },
      {
        "id": "",
        "name": "a8fc70b86e828ffed0f6b3408d30a037.trk.vibnere.com"
      },
      {
        "id": "",
        "name": "6e4ae1209a2afe123636f6074c19745d.trk.edrefo.com"
      },
      {
        "id": "",
        "name": "4e09ef9806fb9af448a5efcd60395815.trk.simitor.com"
      },
      {
        "id": "",
        "name": "50e5927056538d5087816be6852397f6.trk.frotel.info"
      },
      {
        "id": "",
        "name": "2c0b9017cf55630f1095ff42d9717732.trk.pordasa.info"
      },
      {
        "id": "",
        "name": "z54zspih9h5588.com"
      },
      {
        "id": "",
        "name": "21pwt2otx07d3et.wzbhk2ccghtshr.com"
      },
      {
        "id": "",
        "name": "ydxpwzhidexgny.com"
      },
      {
        "id": "",
        "name": "wzbhk2ccghtshr.com"
      },
      {
        "id": "",
        "name": "y43dkbzwar7cdt.com"
      },
      {
        "id": "",
        "name": "wk7ckgiuc6i.com"
      },
      {
        "id": "",
        "name": "vitrfar.info"
      },
      {
        "id": "",
        "name": "wj9ii6rx7yd.com"
      },
      {
        "id": "",
        "name": "vibnere.com"
      },
      {
        "id": "",
        "name": "uxjxfg2ui8k5zk.com"
      },
      {
        "id": "",
        "name": "tp7djzjtcs6gm6.com"
      },
      {
        "id": "",
        "name": "szd4hw4xdaj.com"
      },
      {
        "id": "",
        "name": "swh9cpz2xntuge.com"
      },
      {
        "id": "",
        "name": "sn9jxsrp23x63a.com"
      },
      {
        "id": "",
        "name": "simitor.com"
      },
      {
        "id": "",
        "name": "rz53par3ux2.com"
      },
      {
        "id": "",
        "name": "rhctiz9xijd4yc.com"
      },
      {
        "id": "",
        "name": "pordasa.info"
      },
      {
        "id": "",
        "name": "patycyfswg33nh.com"
      },
      {
        "id": "",
        "name": "npknraafbisrs7.com"
      },
      {
        "id": "",
        "name": "n98erejcf9t.com"
      },
      {
        "id": "",
        "name": "malicious.site"
      },
      {
        "id": "",
        "name": "m9y6dte7b9i.com"
      },
      {
        "id": "",
        "name": "iszedim8xredu2.com"
      },
      {
        "id": "",
        "name": "ifjh5asi25f.com"
      },
      {
        "id": "",
        "name": "hwa85y4icf5.com"
      },
      {
        "id": "",
        "name": "hjmpfsamfkj5m5.com"
      },
      {
        "id": "",
        "name": "hhmk9ixaw9p3ec.com"
      },
      {
        "id": "",
        "name": "h82c3stb3k5.com"
      },
      {
        "id": "",
        "name": "frotel.info"
      },
      {
        "id": "",
        "name": "f6ywh2ud89u.com"
      },
      {
        "id": "",
        "name": "f6kf5inmfmj.com"
      },
      {
        "id": "",
        "name": "epyujbhfhbs35j.com"
      },
      {
        "id": "",
        "name": "ege6wf76eyp.com"
      },
      {
        "id": "",
        "name": "edrefo.com"
      },
      {
        "id": "",
        "name": "dipgprjp8uu.com"
      },
      {
        "id": "",
        "name": "d6zeh4und3yjt9.com"
      },
      {
        "id": "",
        "name": "cytceitft8g.com"
      },
      {
        "id": "",
        "name": "cgb488dixfxjw7.com"
      },
      {
        "id": "",
        "name": "bb62sbtk3yi.com"
      },
      {
        "id": "",
        "name": "b5ba24k6xhxn7b.com"
      },
      {
        "id": "",
        "name": "aucxjd8rrzh7xf.com"
      },
      {
        "id": "",
        "name": "api536yepwj.com"
      },
      {
        "id": "",
        "name": "anrad9i7fb2twm.com"
      },
      {
        "id": "",
        "name": "afusdnfysbsf.com"
      },
      {
        "id": "",
        "name": "93dhmp7ipsp.com"
      },
      {
        "id": "",
        "name": "8kk68biiitj.com"
      },
      {
        "id": "",
        "name": "8jtuazcr548ajj.com"
      },
      {
        "id": "",
        "name": "8egub9e7s6cz7n.com"
      },
      {
        "id": "",
        "name": "85hsyad6i2ngzp.com"
      },
      {
        "id": "",
        "name": "66tye9kcnxi.com"
      },
      {
        "id": "",
        "name": "4bs6hkaysxa.com"
      },
      {
        "id": "",
        "name": "3yfr6hh9dd3.com"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:c66658b6074d27c4",
        "name": "Cobalt Strike",
        "slug": "cobalt-strike"
      }
    ],
    "attack_patterns": [
      {
        "id": "f586e043-1a3a-4e6f-882f-62165b7cd14a",
        "name": "TA0011"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/",
    "https://otx.alienvault.com/pulse/6642662fab369f4885c2bb5b"
  ]
}