DNS tunneling series, part 3: The siren song of RogueRobin
Tags
attack-pattern: Data Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Hidden Window - T1564.003 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Data Encoding - T1132 Hidden Window - T1143 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID 43ea7ae7-477f-4aa1-a6a4-fda8146b1859
Fingerprint 84118c006e311399
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 6, 2020, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline DNS tunneling series, part 3: The siren song of RogueRobin
Title DNS tunneling series, part 3: The siren song of RogueRobin
Detected Hints/Tags/Attributes 58/1/24
Source URLs
Redirection Url
Details Source https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/
URL Provider
Details Provider Source level domain
Details ironnet.com ironnet.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
anyconnect.stream
Details Domain 2 
bigip.stream
Details Domain 2 
fortiweb.download
Details Domain 2 
kaspersky.science
Details Domain 2 
microtik.stream
Details Domain 2 
owa365.bid
Details Domain 2 
symanteclive.download
Details Domain 2 
windowsdefender.win
Details Domain 1 
4114.anyconnect.stream
Details Domain 2 
akdns.live
Details Domain 2 
akamaiedge.live
Details Domain 2 
edgekey.live
Details Domain 2 
akamaized.live
Details Domain 2 
676f6f646c75636b.gogle.co
Details Domain 1 
aliilc.anyconnect.stream
Details File 1 
%temp%\doc.pdf
Details File 1 
%public%\documents\officeupdateservice.vbs
Details File 1 
%public%\documents\officeupdateservice.exe
Details File 1 
onedrive.ps1
Details File 33 
nslookup.exe
Details File 1208 
powershell.exe
Details IPv4 2 
216.58.192.174
Details IPv4 1 
172.16.99.201
Details IPv6 3 
2a00:1450:4001:81a::200e