DNS tunnel exfiltration in restricted egress

§ Context

Assumed environment: foothold on a tightly-firewalled internal host. Only egress allowed is recursive DNS. Attacker controls a public domain and runs iodine / dnscat2 server.

§ Steps

1. 01
   Exfil sensitive data byte-by-byteExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Foothold on host with no internetInitial Access

   T1078— Valid Accounts
3. 03
   Confirm DNS resolves attacker domainDiscovery

   T1018— Remote System Discovery
4. 04
   Start dnscat2 / iodine clientExfiltration

   DNS-TUNNEL-EXFIL— DNS Tunneling Exfil (iodine / dnscat2)
5. 05
   C2 channel over DNSCommand and Control

   DNS-DOH-C2— DNS-over-HTTPS C2 Channel

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1018Remote System Discovery

§ Frequently asked

What is the "DNS tunnel exfiltration in restricted egress" attack path?

Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil sensitive data byte-by-byte (T1041) — a exfiltration primitive. Assumed environment: foothold on a tightly-firewalled internal host.

What is the final impact of this kill-chain?

The final step lands on C2 channel over DNS (DNS-DOH-C2), which falls under Command and Control. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  ERC-4626 first-depositor inflation → drain new deposits

  Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.

• Shared techniques2

  MEV bot honeypot → drain searcher

  Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.