PLAY PODCASTS
Threat Hunting Malware Communication over DNS
Episode 2

Threat Hunting Malware Communication over DNS

Antisyphon Training Anticasts

January 17, 20261h 26m

Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode pageView transcriptChapters

Show Notes

Are attackers hiding in your DNS traffic right now?

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits – 

https://poweredbybhis.com

Join instructor Faan Rossouw for a free one-hour training on hunting malware that uses DNS as a covert communication channel.

C2 frameworks, RATs, and backdoors frequently exploit DNS to stay hidden - sometimes for months. High-profile attacks like SolarWinds' Sunburst demonstrate just how devastating undetected DNS exfiltration can be.

This Antisyphon Anti-Cast focuses on behavior-based threat hunting techniques that go beyond signatures to uncover suspicious DNS activity attackers think they've hidden.

You'll learn how to:
* Recognize network artifacts that DNS tunneling produces
* Identify anomalies in DNS record types that signal malicious use
* Leverage open-source tools like Zeek, RITA, and Sysmon to detect malware abusing DNS
* Build detection strategies that make it very hard for DNS-based threats to remain hidden

If you're ready to stop trusting DNS and start verifying it, this session will give you the practical skills to hunt what's lurking in your network.

Chapters:

  • (00:00) - Intro - Threat Hunting Malware Communication over DNS
  • (00:53) - Introducing Faan
  • (02:28) - Threat Hunting C2 Over DNS
  • (04:00) - Threat Hunting - What is it and why is it awesome?
  • (05:42) - Assumed Compromise
  • (06:55) - David J. Bianco – Pyramid of Pain Guy
  • (13:28) - C2 Over DNS
  • (28:03) - TXT Record Abuse
  • (32:46) - Null Record
  • (35:07) - CNAME, MX, SRV… Oh my
  • (38:26) - DNS Sandwhich
  • (42:48) - ID Field Missuse
  • (48:58) - EDNS0
  • (52:33) - Encrypted DNS
  • (55:15) - Main Takeaway
  • (56:14) - The Workshop: Build a Reflective Shellcode Loader C2 in Golang
  • (57:51) - Q&A Start
  • (01:00:15) - DNS and Splunk?
  • (01:01:48) - Suggestions for Detecting DGA?
  • (01:03:25) - Offensive Security Tooling from a Threat Hunter Perspective
  • (01:07:27) - Restrict outbound DNS to protect against C2?
  • (01:09:06) - Communicating the value of Threat Hunting to Higher Ups.
  • (01:13:49) - Closing Remarks

Creators & Guests
Brought to you by:

Black Hills Information Security 

https://www.blackhillsinfosec.com


Antisyphon Training

https://www.antisyphontraining.com/


Active Countermeasures

https://www.activecountermeasures.com


Wild West Hackin Fest

https://wildwesthackinfest.com

Click here to view the episode transcript.

← All episodes of Antisyphon Training Anticasts