In my BruCON training “Malicious Documents For Red Teams” (October 2019), we will cover downloading of files over DNS. I Tweeted about downloading Mimikatz via DNS-over-HTTPS with an Excel sheet.
I’m not releasing the Python code to serve files via DNS, nor the VBA code to download files over DNS/DoH: this is reserved for the attendees of my training.
But here I am sharing capture files of the downloads via DNS, so that you can understand how traffic looks like, and how to detect it.
Capture files inside the ZIP container (password is infected):1-dns-txt.pcap: downloading of files via DNS TXT records, EICAR file (binary, hexadecimal and BASE64 encoded) and Mimikatz.exe (BASE64 encoded) 2-DoH-txt.pcap: downloading of Mimikatz.exe via DNS TXT records via dns.google.com (Google’s DNS over HTTPS) 3-DoH-txt-domain-fronting.pcap: same as 2, but with domain fronting (www.google.com) 4-DoH-txt.pcapng: same as 2, but in a PCAPNG file with decryption keys 5-DoH-txt.pcapng: same as 4, but with shorter DNS TXT records (to help with decryption)