n a recent update to
Sysmon, a new feature was introduced allowing the ability to log DNS events. While this gives an excellent datapoint for defenders (shout out to the SysInternals team for continuing to provide and support these awesome tools for free), for us as attackers, this means that should our implant or payloads attempt to communicate via DNS, BlueTeam have a potential way to pick up on indicators which could lead to detection.
An obvious place where this may affect a campaign is C2 over DNS, where numerous requests will be logged, potentially giving the game away. In the event I came across this deployed during an engagement, I wanted to spend a bit of time understanding just how to work evade detection. In this short post I will document one such way which appears to work with Sysmon 10.1.
But before we start to look to evade Sysmon, we need to first deploy it within a lab environment. To do this, I generally use
@SwiftOnSecurity's
sysmon-config, and install Sysmon with:
sysmon.exe -accepteula -i rules.xml
With our test environment up and running, you will start to see events rolling in. Filtering for Event ID 22 will focus on "DNS query", which will appear like this:
With everything up and running, let's start by looking how logging is being performed.
Read the full article @
https://blog.xpnsec.com/evading-sysmon-dns-monitoring/
