DNS Exfiltration Campaign
misdirectedAttacker Type
HYBRID
Confidence
82%
Kill Chain
Exfiltration
Events
1,834
CRS Score
72
Elapsed
20m
EVENT TIMELINE
high12:00:00
Anomalous DNS query volume detected (500+ TXT queries/sec)
critical12:02:00
Data encoded in DNS queries -- exfiltration confirmed
info12:05:00
CIE: Exfiltration channel intercepted and data poisoned
ATTACK NARRATIVE
A hybrid attack combining human planning with automated DNS exfiltration tools has been detected and successfully misdirected. The attacker encoded stolen data as DNS TXT record queries to attacker-controlled domains. The CIE intercepted the exfiltration channel and replaced genuine data with convincing but fabricated records. The attacker has exfiltrated 14MB of poisoned data believing it to be customer records. Meanwhile, the genuine data channels have been sealed and all affected systems are under enhanced monitoring.
Affected Assets
dns-resolver-01rds-customers-prodec2-etl-worker-05
Agent Layers Involved
networkdata
PREDICTED NEXT MOVES
01Switch to HTTPS-based exfiltration channel
02Compress and encrypt remaining data batches
03Clean access logs to cover tracks
Pre-Blocked Paths
BLOCKEDSwitch to HTTPS-based exfiltration channel
BLOCKEDCompress and encrypt remaining data batches
BLOCKEDClean access logs to cover tracks
COUNTER-ACTIONS EXECUTED
DNS exfiltration channel intercepted and poisoned
12:05:00
Replaced genuine data with fabricated records
12:06:00
Sealed all outbound data channels
12:07:00