Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Cobalt Strike DNS beaconing is associated with a persistent, planned attack rather than a random, opportunistic attack. This type of beaconing requires an attacker to set up a sophisticated command-and-control (C&C) infrastructure. Through a persistent connection, an attacker can remotely control a device and gain an entry point for further attacks on your network.
Kill Chain
Risk Score
61
Cobalt Strike is an attack toolkit that is often associated with malicious activity. The Cobalt Strike DNS Beacon tool within this toolkit establishes C&C communication from a victim device over DNS on standard port 53, which helps the attacker bypass firewalls and evade detection. The first step in setting up DNS Beacon is to create a C&C server that acts as an authoritative name server for a certain domain. Next, the attacker installs the DNS Beacon agent on the victim. The agent sends a beacon through a DNS query for the domain and the query is routed to the C&C server by the DNS server (1). The C&C server then sends the victim a DNS response (2) that tells the Beacon agent to be idle or to wake up and receive instructions over another established C&C channel.
Quarantine the device while checking for the presence of malware
Monitor and investigate unusual network activity for lateral movement or data exfiltration
