I’ve done several experiments with DNS, which has lead me over the last couple of years to develop a DNS resolver tool.
By no way is it a full fledged DNS server: it implements particular features that I’ve needed for different experiments I conducted.
It can serve files, facilitate exfiltration, do tracking, answer wildcard requests, do rcode testing and also simple resolving.
Upcoming blog posts will go into more details for some of these features.
Example of payload command: serving a file over DNS TXT recordsdnsresolver_V0_0_1.zip (https) MD5: 340C7324EB66EB4F567B38F374DD2564 SHA256: 56AD87585FDCC20C219BF4A27D9640ECD563E4155816990AB4E7B85AAFA5F047
I have some ad hoc tools, that help me with special text editing tasks. Like doing search and replace in a text file, with a list of search and replace terms. Or looking for assignment statements in the source code of a program, and replacing each variable with its value.
I decided to bundle these ad hoc scripts, into a single generic script, a new tool: texteditor.py
Here is an example, take text file example.txt with the following content:
There is an apple on the sun. It is nice and warm.
And CSV file sar.csv with the following content:
apple,pear sun,moon
The following sarcsv command edits file example.txt with sar.csv:
There are no code changes to this version of 1768.py, my tool to analyze Cobalt Strike beacons.
What is new, is file 1768.json: this file contains statistical data for license IDs.
Over a period of one month, I collected license ID information from these sources: threatviewio and @cobaltstrikebot.
For each license ID that is found on more than one IP address / hostname, I include simple statistics: the number of unique IP addresses / hostnames and the number of unique public keys.
When analyzing malicious Cobalt Strike beacons, I often see recurring license IDs. That’s why I decided to add logic and a JSON file to my tool, with license IDs I’ve seen before. And now this has evolved to a small repository of often seen license IDs.
Here is an example with a sample we discussed on the Internet Storm Center diary:
The license ID is 1873433027 and this ID is associated with 18 unique IP addresses / hostnames, and 15 unique public keys. This is a clear indication that this license ID is used by malicious actors. License IDs that have been seen only once, could belong to red teams, that is why they are not included in file 1768.json. The more often a license ID is seen, the higher the chance it is used by malicious actors. Of course, it is not excluded that there are legitimate license IDs from red teams in this list, but I expect they will have low frequencies.
Takeaway: if your sample has a license ID that appears in 1768.json, then it has been seen before (at least twice), and you’re likely not dealing with a pentest.
As I needed a Python implementation of an ssdeep tool, I decided to document the creation of such a tool with a video. I use my Python templates to quickly create this tool.
cs-dns-stager.py is a quick & dirty tool I wrote to retrieve a Cobalt Strike DNS beacon from its server, if you only have the IP address of said server.
If you want to know more about Cobalt Strike and DNS, watch this video I recorded:
