Threat Hunting Malware Communication over DNS
🧦 SOC Summit 2026
https://www.antisyphontraining.com/event/soc-summit/
https://www.antisyphontraining.com/event/soc-summit/
Are attackers hiding in your DNS traffic right now?
🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
Join instructor Faan Rossouw for a free one-hour training on hunting malware that uses DNS as a covert communication channel.
C2 frameworks, RATs, and backdoors frequently exploit DNS to stay hidden - sometimes for months. High-profile attacks like SolarWinds' Sunburst demonstrate just how devastating undetected DNS exfiltration can be.
This Antisyphon Anti-Cast focuses on behavior-based threat hunting techniques that go beyond signatures to uncover suspicious DNS activity attackers think they've hidden.
You'll learn how to:
* Recognize network artifacts that DNS tunneling produces
* Identify anomalies in DNS record types that signal malicious use
* Leverage open-source tools like Zeek, RITA, and Sysmon to detect malware abusing DNS
* Build detection strategies that make it very hard for DNS-based threats to remain hidden
If you're ready to stop trusting DNS and start verifying it, this session will give you the practical skills to hunt what's lurking in your network.
C2 frameworks, RATs, and backdoors frequently exploit DNS to stay hidden - sometimes for months. High-profile attacks like SolarWinds' Sunburst demonstrate just how devastating undetected DNS exfiltration can be.
This Antisyphon Anti-Cast focuses on behavior-based threat hunting techniques that go beyond signatures to uncover suspicious DNS activity attackers think they've hidden.
You'll learn how to:
* Recognize network artifacts that DNS tunneling produces
* Identify anomalies in DNS record types that signal malicious use
* Leverage open-source tools like Zeek, RITA, and Sysmon to detect malware abusing DNS
* Build detection strategies that make it very hard for DNS-based threats to remain hidden
If you're ready to stop trusting DNS and start verifying it, this session will give you the practical skills to hunt what's lurking in your network.
Chapters:
Brought to you by:
- (00:00) - Intro - Threat Hunting Malware Communication over DNS
- (01:00) - Introducing Faan
- (02:35) - Threat Hunting C2 Over DNS
- (04:07) - Threat Hunting - What is it and why is it awesome?
- (05:49) - Assumed Compromise
- (07:02) - David J. Bianco – Pyramid of Pain Guy
- (13:35) - C2 Over DNS
- (28:10) - TXT Record Abuse
- (32:53) - Null Record
- (35:14) - CNAME, MX, SRV… Oh my
- (38:33) - DNS Sandwhich
- (42:55) - ID Field Missuse
- (49:05) - EDNS0
- (52:40) - Encrypted DNS
- (55:22) - Main Takeaway
- (56:21) - The Workshop: Build a Reflective Shellcode Loader C2 in Golang
- (57:58) - Q&A Start
- (01:00:22) - DNS and Splunk?
- (01:01:55) - Suggestions for Detecting DGA?
- (01:03:32) - Offensive Security Tooling from a Threat Hunter Perspective
- (01:07:34) - Restrict outbound DNS to protect against C2?
- (01:09:13) - Communicating the value of Threat Hunting to Higher Ups.
- (01:13:56) - Closing Remarks
Brought to you by:
Black Hills Information Security
Antisyphon Training
Active Countermeasures
Wild West Hackin Fest
Creators and Guests
Guest
Faan Rossouw
I’m a security researcher focused on the intersection of threat hunting and agentic AI. I do research at Active Countermeasures and instruct at AntiSyphon, teaching threat hunting and offensive security tooling. I’m also currently building aionsec.ai, an open-source platform to make elite threat hunting accessible to everyone.