DNS Over HTTPS for Cobalt Strike
Summary
This article details how to configure DNS Over HTTPS (DoH) for Cobalt Strike, a popular command and control (C2) framework used in red team engagements. By using DoH, attackers can disguise their C2 traffic to evade detection by network security monitoring tools.
IFF Assessment
FOE
This technique allows attackers to evade detection by blending their C2 traffic with legitimate DNS over HTTPS requests, making it harder for defenders to identify malicious activity.
Defender Context
Defenders should be aware of the increasing use of encrypted DNS protocols like DoH for C2 communication. Monitoring and analyzing DNS traffic, even when encrypted, for anomalies and suspicious patterns is crucial for detecting such evasion techniques.