DNS Over HTTPS for Cobalt Strike
Summary
This article discusses the use of DNS over HTTPS (DoH) as a method to conceal Cobalt Strike Command and Control (C2) traffic. The author highlights the increasing difficulty in setting up C2 infrastructure for red team engagements and presents DoH as a technique to bypass security detections.
IFF Assessment
FOE
The article describes a technique used by attackers (red teamers) to evade detection, which is bad news for defenders.
Defender Context
Defenders should be aware of attackers leveraging DoH to obfuscate malicious traffic, as it can bypass traditional network security monitoring focused on clear-text DNS. Implementing stricter DoH policies and enhancing egress traffic filtering may be necessary to detect and prevent such evasive techniques.