Forensic Blogs

An aggregator for digital forensics blogs

by

Downloading Executables Over DNS: Capture Files

In my BruCON training “Malicious Documents For Red Teams” (October 2019), we will cover downloading of files over DNS. I Tweeted about downloading Mimikatz via DNS-over-HTTPS with an Excel sheet.

I’m not releasing the Python code to serve files via DNS, nor the VBA code to download files over DNS/DoH: this is reserved for the attendees of my training.

But here I am sharing capture files of the downloads via DNS, so that you can understand how traffic looks like, and how to detect it.

Capture files inside the ZIP container (password is infected):

1-dns-txt.pcap: downloading of files via DNS TXT records, EICAR file (binary, hexadecimal and BASE64 encoded) and Mimikatz.exe (BASE64 encoded) 2-DoH-txt.pcap: downloading of Mimikatz.exe via DNS TXT records via dns.google.com (Google’s DNS over HTTPS) 3-DoH-txt-domain-fronting.pcap: same as 2, but with domain fronting (www.google.com) 4-DoH-txt.pcapng: same as 2, but in a PCAPNG file with decryption keys 5-DoH-txt.pcapng: same as 4, but with shorter DNS TXT records (to help with decryption)

DNS_TXT_captures.zip (https)
MD5: 5DB5091B9B641E9B8DA0E29CE9870981
SHA256: 49858B8BBA851B86EAB2DB6C5F329C5B587A3B1C7EB1A1E6028BCFBCDF445ECC

by

Overview of Content Published in July

Here is an overview of content I published in July:

Blog posts:

Quickpost: nslookup Types Update: format-bytes.py Version 0.0.9 Quickpost: tcp-honeypot.py & Browser Tests

YouTube videos:

Analyzing Compressed PowerShell Scripts

Videoblog posts:

Analyzing Compressed PowerShell Scripts

SANS ISC Diary entries:

Maldoc: Payloads in User Forms A “Stream O” Maldoc Machine Code? Malicious XSL Files Machine Code? No! isodump.py and Malicious ISO Files Malicious RTF Analysis CVE-2017-11882 by a Reader Analyzing Compressed PowerShell Scripts A Python TCP proxy Video: Analyzing Compressed PowerShell Scripts Recognizing ZLIB Compression