DNS Beacons
You have the option to shape the DNS Beacon/Listener network traffic with Malleable C2.
dns-beacon "optional-variant-name" {
# Options moved into 'dns-beacon' group in 4.3:
set dns_idle "1.2.3.4";
set dns_max_txt "199";
set dns_sleep "1";
set dns_ttl "5";
set maxdns "200";
set dns_stager_prepend "doc-stg-prepend";
set dns_stager_subhost "doc-stg-sh.";
# DNS subhost override options added in 4.3:
set beacon "doc.bc.";
set get_A "doc.1a.";
set get_AAAA "doc.4a.";
set get_TXT "doc.tx.";
set put_metadata "doc.md.";
set put_output "doc.po.";
set ns_response "zero";
set comm_mode "dns";
}
The settings are:
| Option | Default Value | Changes |
|---|---|---|
| dns_idle | 0.0.0.0 | IP address used to indicate no tasks are available to DNS Beacon; Mask for other DNS C2 values. |
| dns_max_txt | 252 | Maximum length of DNS TXT responses for tasks. |
| dns_sleep | 0 | Force a sleep prior to each individual DNS request (in milliseconds). |
| dns_stager_prepend | Prepend text to payload stage delivered to DNS TXT record stager. | |
| dns_stager_subhost | .stage.123456. | Subdomain used by DNS TXT record stager. |
| dns_ttl | 1 | TTL for DNS replies. |
| maxdns | 255 | Maximum length of hostname when uploading data over DNS (0-255). |
| beacon | DNS subhost prefix used for beaconing requests (lowercase text). | |
| get_A | cdn. | DNS subhost prefix used for A record requests (lowercase text). |
| get_AAAA | www6. | DNS subhost prefix used for AAAA record requests (lowercase text) |
| get_TXT | api. | DNS subhost prefix used for TXT record requests (lowercase text). |
| put_metadata | www. | DNS subhost prefix used for metadata requests (lowercase text). |
| put_output | post. | DNS subhost prefix used for output requests (lowercase text). |
| ns_response | drop | How to process NS Record requests. "drop" does not respond to the request (default), "idle" responds with A record for IP address from "dns_idle", "zero" responds with A record for 0.0.0.0. |
| comm_mode | dns | Used to enable DNS Over HTTPS as the default for the variant. Valid values are "dns" or "dns-over-https". |
You can use "ns_response" when a DNS server is responding to a target with "Server failure" errors. A public DNS Resolver may be initiating NS record requests that the DNS Server in Cobalt Strike Team Server is dropping by default.
{target} {DNS Resolver} Standard query 0x5e06 A doc.bc.11111111.a.example.com
{DNS Resolver} {target} Standard query response 0x5e06 Server failure A doc.bc.11111111.a.example.com
dns-over-https
dns-beacon "doh_example" {
set comm_mode "dns-over-https";
dns-over-https {
set doh_verb "POST";
set doh_useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)";
set doh_proxy_server "https://my.proxy.server:99";
set doh_server "mozilla.cloudflare-dns.com,cloudflare-dns.com";
set doh_accept "application/dns-message";
header "Content-Type" "application/dns-message";
header "Header-2" "header2";
}
}
The settings are:
| Option | Default Value | Changes |
|---|---|---|
| doh_verb | POST | Uses "GET" or "POST" values. |
| doh_useragent | User agent string used when opening an internet connection. Maximum length is 128. | |
| doh_proxy_server | Specifies a proxy server to egress HTTPS. | |
| doh_server | mozilla.cloudflare-dns.com,cloudflare-dns.com | Comma separated list of DOH servers to use. Maximum length is 256. |
| doh_accept | application/dns-message | Used as the “accept types” on the open request API. Maximum length is 128. |
| header | Content-Type application/dns-message | Defines headers used to decorate the HTTPS requests. |