{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dns/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","spn-spoofing","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern in DNS queries indicative of Kerberos SPN spoofing, a technique used to coerce systems into authenticating to attacker-controlled hosts. The pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; represents a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers exploit this by crafting malicious DNS names to trick victim systems into requesting Kerberos tickets for legitimate services, often their own identity, but directed towards an attacker-controlled endpoint. This can lead to Kerberos relay or NTLM reflection/relay attacks, bypassing normal NTLM fallback mechanisms. The technique is associated with tools like RemoteKrbRelay and wspcoerce. This activity has been observed in various attacks targeting Windows environments where Kerberos authentication is prevalent. Defenders need to detect and mitigate this early stage of credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target Windows system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious server to receive coerced authentication requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS query containing a base64-encoded blob \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; representing a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe victim system, triggered by an external factor (e.g., RPC call, scheduled task, or web request), attempts to resolve the crafted DNS name.\u003c/li\u003e\n\u003cli\u003eThe malicious DNS query is sent to the DNS server, which resolves to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe victim system initiates a Kerberos authentication request to the attacker\u0026rsquo;s server, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server relays the Kerberos ticket or uses NTLM reflection/relay techniques to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the victim system or pivots to other systems within the network using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential compromise, lateral movement, and domain takeover. Victims in Active Directory environments are particularly vulnerable. The impact includes unauthorized access to sensitive data, disruption of services, and potential ransomware deployment. If the coerced service has high privileges, the attacker can gain complete control over the compromised system or even the entire domain. Organizations using Kerberos authentication are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Kerberos SPN Spoofing via Suspicious DNS Query\u0026rdquo; rule to your SIEM and tune for your environment to detect malicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 - DNS Query logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any DNS queries resolving to external IPs that contain the \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; pattern.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes initiating DNS queries containing the suspicious pattern, specifically looking for known coercion tools.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of lateral movement if a system is compromised.\u003c/li\u003e\n\u003cli\u003eReview and harden Kerberos configurations to prevent SPN spoofing and relay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T17:31:25Z","date_published":"2026-05-01T17:31:25Z","id":"/briefs/2024-10-kerberos-spn-spoofing-dns/","summary":"Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.","title":"Potential Kerberos SPN Spoofing via Suspicious DNS Query","url":"https://feed.craftedsignal.io/briefs/2024-10-kerberos-spn-spoofing-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hickory-recursor","hickory-resolver"],"_cs_severities":["medium"],"_cs_tags":["dns","cache-poisoning","zone-delegation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks","Hickory DNS"],"content_html":"\u003cp\u003eThe Hickory DNS project\u0026rsquo;s experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate, now integrated into \u003ccode\u003ehickory-resolver\u003c/code\u003e under the \u003ccode\u003erecursor\u003c/code\u003e feature, contains a vulnerability in its DNS record cache (\u003ccode\u003eDnsLru\u003c/code\u003e). The cache stores records based on the record\u0026rsquo;s name and type, rather than the originating query. This design flaw allows for cross-zone cache poisoning because the \u003ccode\u003ecache_response()\u003c/code\u003e function chains \u003ccode\u003eANSWER\u003c/code\u003e, \u003ccode\u003eAUTHORITY\u003c/code\u003e, and \u003ccode\u003eADDITIONAL\u003c/code\u003e sections into a single record iterator during insertion. The bailiwick filter uses the zone context of the NS pool that serviced the lookup, leading to improper validation of records from sibling zones. This issue affects all published versions of the experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate prior to its integration into \u003ccode\u003ehickory-resolver\u003c/code\u003e 0.26.0. Users of the \u003ccode\u003ehickory-dns\u003c/code\u003e binary configured with the \u003ccode\u003erecursor\u003c/code\u003e feature are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers the domain \u003ccode\u003eattacker.poc.\u003c/code\u003e and sets up a malicious nameserver.\u003c/li\u003e\n\u003cli\u003eHickory DNS server queries the nameserver for \u003ccode\u003eattacker.poc.\u003c/code\u003e to build its NS pool.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver responds with an \u003ccode\u003eAUTHORITY\u003c/code\u003e section that includes a malicious record delegating a sibling zone, such as \u003ccode\u003evictim.poc.\u003c/code\u003e, to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Hickory DNS server\u0026rsquo;s bailiwick check incorrectly validates the malicious \u003ccode\u003evictim.poc. NS ns.evil.poc.\u003c/code\u003e record because \u003ccode\u003evictim.poc.\u003c/code\u003e is a subdomain of the parent zone \u003ccode\u003epoc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious NS record for \u003ccode\u003evictim.poc.\u003c/code\u003e is stored in the cache, keyed by \u003ccode\u003e(victim.poc., NS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA client queries the Hickory DNS server for a name within the \u003ccode\u003evictim.poc.\u003c/code\u003e zone.\u003c/li\u003e\n\u003cli\u003eHickory DNS server builds its NS pool for \u003ccode\u003evictim.poc.\u003c/code\u003e using the poisoned cache entry, directing queries to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver now receives queries intended for the legitimate \u003ccode\u003evictim.poc.\u003c/code\u003e nameserver, allowing the attacker to intercept and manipulate DNS resolution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to redirect DNS queries for a target domain to an attacker-controlled nameserver. This can lead to various malicious activities, including phishing attacks, man-in-the-middle attacks, and the distribution of malware. The vulnerability affects any system using Hickory DNS with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled, potentially impacting a wide range of users relying on the resolver for DNS resolution. If the targeted domain is critical for service delivery (e.g., email, web), the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ehickory-resolver\u003c/code\u003e version 0.26.0 or later with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled to address the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-83hf-93m4-rgwq\"\u003ehttps://github.com/advisories/GHSA-83hf-93m4-rgwq\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the \u003ccode\u003erecursor\u003c/code\u003e feature in \u003ccode\u003ehickory-dns\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected NS record changes, focusing on \u003ccode\u003eAUTHORITY\u003c/code\u003e sections of DNS responses, using a custom rule based on your environment and typical DNS configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:10:58Z","date_published":"2026-04-30T18:10:58Z","id":"/briefs/2024-11-hickory-dns-poisoning/","summary":"The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.","title":"Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation","url":"https://feed.craftedsignal.io/briefs/2024-11-hickory-dns-poisoning/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dns","denial-of-service","bind"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Internet Systems Consortium (ISC) BIND (Berkeley Internet Name Domain) is a widely used open-source DNS server software. Multiple vulnerabilities exist within BIND that can be exploited by remote attackers. An unauthenticated attacker can leverage these flaws to conduct denial-of-service (DoS) attacks, disrupting DNS resolution services. The specific versions affected are not specified in the provided source, but administrators should consult ISC\u0026rsquo;s security advisories for detailed version information. Exploitation of these vulnerabilities can severely impact the availability of services that rely on DNS resolution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BIND DNS server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends specially crafted DNS queries to the target server. These queries exploit known vulnerabilities within the BIND software.\u003c/li\u003e\n\u003cli\u003eThe BIND server, upon processing the malicious queries, experiences a resource exhaustion issue.\u003c/li\u003e\n\u003cli\u003eThe excessive resource consumption leads to the BIND process becoming unresponsive.\u003c/li\u003e\n\u003cli\u003eLegitimate DNS requests are no longer processed, resulting in a denial of service for clients relying on the BIND server for name resolution.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maintain the denial of service condition.\u003c/li\u003e\n\u003cli\u003eThe impact is widespread as applications and services reliant on DNS name resolution become unavailable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these BIND vulnerabilities can lead to a denial-of-service condition, disrupting DNS resolution services. This impacts all services reliant on the affected BIND server, potentially affecting thousands of users and systems. The lack of DNS resolution can lead to widespread application failures, service unavailability, and reputational damage. The absence of specific victim counts prevents a definitive assessment of impact scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor DNS server logs for anomalies indicative of denial-of-service attacks, focusing on query rates and resource utilization.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to identify potentially malicious DNS queries targeting BIND servers.\u003c/li\u003e\n\u003cli\u003eConsult ISC\u0026rsquo;s security advisories for specific vulnerability details and apply the necessary patches to your BIND installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:14:09Z","date_published":"2026-03-30T10:14:09Z","id":"/briefs/2026-03-isc-bind-dos/","summary":"Multiple vulnerabilities in Internet Systems Consortium BIND can be exploited by a remote attacker to conduct a denial of service attack or bypass security measures.","title":"Internet Systems Consortium BIND Vulnerabilities Leading to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-03-isc-bind-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["kerberos","coercion","dns","spn","spoofing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to a system with privileges to modify DNS records in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new MicrosoftDNS record or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the DNS record, specifically in the \u003ccode\u003eAdditionalInfo\u003c/code\u003e or \u003ccode\u003eObjectDN\u003c/code\u003e attributes, the attacker inserts a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record\u0026rsquo;s name and associated IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the Kerberos authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; and \u0026ldquo;Audit Directory Service Changes\u0026rdquo; Windows audit policies to ensure relevant events are logged (Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).\u003c/li\u003e\n\u003cli\u003eRestrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-kerberos-coercion-dns/","summary":"Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.","title":"Potential Kerberos Coercion via DNS-Based SPN Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon","Chrome","Edge","Firefox","Safari","Brave Browser","Opera Browser","Vivaldi Browser","WebView2"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","dns"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Mozilla","Apple","Brave","Opera","Vivaldi"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs an unauthorized RMM tool (e.g., using a script or installer).\u003c/li\u003e\n\u003cli\u003eThe RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRMM Domain DNS Queries from Non-Browser Processes\u003c/code\u003e to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the \u0026ldquo;Setup\u0026rdquo; section of the content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-domain-dns/","summary":"Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.","title":"RMM Domain DNS Queries from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["telegram","command-and-control","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram\u0026rsquo;s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker sends commands to the bot, which are relayed to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially including data exfiltration or further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates sensitive data to the attacker via the Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system via the Telegram bot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telegram DNS Queries\u003c/code\u003e to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eapi.telegram.org\u003c/code\u003e at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.\u003c/li\u003e\n\u003cli\u003eUpdate Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-telegram-dns-query/","summary":"Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.","title":"Suspicious DNS Queries to Telegram API by Non-Telegram Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-03-telegram-dns-query/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CoreDNS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33489","acl-bypass","dns","zone-transfer","coredns"],"_cs_type":"advisory","_cs_vendors":["CoreDNS"],"content_html":"\u003cp\u003eA vulnerability exists in the CoreDNS transfer plugin related to Access Control List (ACL) stanza selection. When both a parent zone and a more-specific subzone are configured with transfer rules, CoreDNS versions prior to 1.14.3 may incorrectly prioritize the parent zone\u0026rsquo;s rule over the subzone\u0026rsquo;s due to a lexicographic string comparison instead of a proper longest-match algorithm. This can lead to a permissive parent-zone transfer rule overriding a more restrictive subzone rule, allowing unauthorized clients to perform AXFR/IXFR requests and retrieve zone contents they should not have access to. This vulnerability matters because it can expose sensitive DNS information to unauthorized parties, potentially aiding reconnaissance or enabling further attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a CoreDNS server running a version prior to 1.14.3.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the CoreDNS server is configured with both a parent zone (e.g., example.org.) and a subzone (e.g., a.example.org.) with different transfer ACLs. The parent zone\u0026rsquo;s ACL is more permissive than the subzone\u0026rsquo;s.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an AXFR or IXFR request specifically targeting the subzone (a.example.org.).\u003c/li\u003e\n\u003cli\u003eThe CoreDNS server\u0026rsquo;s transfer plugin incorrectly selects the parent zone\u0026rsquo;s ACL due to the lexicographic comparison logic, which favors \u0026ldquo;example.org.\u0026rdquo; over \u0026ldquo;a.example.org.\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe server authorizes the transfer based on the permissive parent zone ACL.\u003c/li\u003e\n\u003cli\u003eThe CoreDNS server responds to the attacker\u0026rsquo;s request, providing the full zone contents of the subzone.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the zone data, gaining access to information such as hostnames, IP addresses, and other DNS records that should have been protected by the subzone\u0026rsquo;s restrictive ACL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized zone transfers, exposing sensitive DNS information. The impact is significant as it can lead to the disclosure of internal network structures, server names, and other critical data, potentially facilitating reconnaissance for further attacks. The severity is compounded by the non-intuitive nature of the vulnerability, making it difficult to detect and remediate without a clear understanding of the underlying issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoreDNS to version 1.14.3 or later to address the vulnerability (CVE-2026-33489).\u003c/li\u003e\n\u003cli\u003eReview CoreDNS transfer configurations to ensure subzone ACLs are not inadvertently bypassed by more permissive parent zone ACLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-coredns-acl-bypass/","summary":"CoreDNS' transfer plugin prior to version 1.14.3 can select the wrong ACL stanza due to lexicographic comparison, leading to unauthorized zone transfers by clients intended to be denied by subzone-specific transfer policies.","title":"CoreDNS Transfer Plugin ACL Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-coredns-acl-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Dns","version":"https://jsonfeed.org/version/1.1"}