Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Command and Control/ T1071.004

T1071.004DNS

T1071.004 — DNS is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 29 detection use cases covering it and 126 threat-intel articles citing it.

Command and Control
View on the matrix → Filter Detection Library MITRE official spec ↗
29Use cases
126Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1071 · Application Layer Protocol

Use cases covering this technique (29)

Beaconing — periodic outbound to small set of destinations Internal c2 · alerting DSP DNS tunneling / TXT-heavy domain queries Internal c2 · hunting DSP Windows AI Platform DNS Query ESCU actions · hunting P Windows Credential Target Information Structure in Commandline ESCU actions · alerting P Windows Kerberos Coercion via DNS ESCU actions · alerting P Windows Short Lived DNS Record ESCU actions · alerting P Windows Visual Basic Commandline Compiler DNSQuery ESCU actions · alerting P DNS Kerberos Coercion ESCU actions · alerting P Excessive DNS Failures ESCU actions · hunting P Windows DNS Query Request by Telegram Bot API ESCU actions · hunting P DNS Query Length Outliers - MLTK ESCU actions · hunting P DNS Query Requests Resolved by Unauthorized DNS Servers ESCU actions · alerting P DNS record changed ESCU actions · alerting P [LLM] SPECTRALVIPER C2 callout to OceanLotus FireAnt infrastructure Bespoke c2 · hunting DSΣPDDCS [LLM] DNS resolution for OceanLotus SPECTRALVIPER C2 domains Bespoke c2 · alerting DSΣPDDCS [LLM] FlutterShell macOS C2 contact (atsheisdomestic / etoftheappyrince / healightejustb) Bespoke c2 · alerting DSΣPCS [LLM] SilentCryptoMiner DNS tunneling to *.microsoft.com lookalike and known C2 .space domains Bespoke c2 · alerting DSΣPDDCS [LLM] Screening Serpens C2 — DNS/network to UNC1549 infrastructure (Feb-Apr 2026) Bespoke c2 · alerting DSΣPDDCS [LLM] Nx Console / Shai-Hulud C2 connection (t.m-kosche.com, check.git-service.com, filev2.getsession.org, api.masscan.cloud, 83.142.209.194) Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud C2 callback to zero.masscan.cloud / 94.154.172.43 Bespoke c2 · alerting DSΣPDDCS [LLM] DNS / Network egress to TeamPCP Nx Console C2 domain check.git-service.com Bespoke c2 · alerting DSΣPDDCS [LLM] DNS lookup for git-tanstack.com TeamPCP C2 staging domain Bespoke c2 · alerting DSΣPDDCS [LLM] DNS lookup for azurestaticprovider[.]net node-ipc exfil domain Bespoke c2 · alerting DSΣPDDCS [LLM] Session/Oxen P2P exfil DNS or TCP to getsession.org from build/CI host Bespoke c2 · alerting DSΣPDD [LLM] IoliteLabs IOC sweep: rraghh.com / oortt.com hostnames + campaign file hashes Bespoke c2 · hunting DSΣPDD [LLM] bittensor-wallet 4.0.2 backdoor C2 domain contact (opentensor-* lookalikes) Bespoke c2 · alerting DSΣPDD [LLM] DNS tunneling exfiltration pattern to *.t.opentensor-cdn.com (hex chunk/index/total/session) Bespoke c2 · alerting DSΣPDD [LLM] DNS/HTTP egress to CanisterWorm ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai) Bespoke c2 · alerting DSΣPDDCS [LLM] GhostChat C2/staging infrastructure contact (hitpak.org, buildthenations.info, fkclb.com) Bespoke c2 · alerting DSΣPDDCS

Articles citing this technique (126)

crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
crit OceanLotus: From external espionage to domestic targeting art-54
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE art-62
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows art-71
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
high Meta to Use Off-Site Business Data for Feed and AI Personalization art-81
crit Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now art-84
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
high Reporting from Vegas: Networking, AI, and good boys art-126
high Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting art-129
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
high Argamal: Malware hidden in hentai games art-137
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Multiple redhat-cloud-services npm Packages compromised art-144
high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145
high Nx Console VS Code Extension Compromised art-146
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit Laravel Lang Supply Chain Advisory art-211
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230
crit [GHSA / CRITICAL] CVE-2026-46421: Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-serv art-235
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
crit Webworm: New burrowing techniques art-240
high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254
crit [GHSA / CRITICAL] CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise) art-255
crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Fake call logs, real payments: How CallPhantom tricks Android users art-323
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
crit GopherWhisper: A burrow full of malware art-362
med Hardcoding Security into Every Commit: The Future of Snyk Secrets art-363
high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367
crit New NGate variant hides in a trojanized NFC payment app art-369
high @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence art-399
crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401
high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
crit Popular telnyx package compromised on PyPI by TeamPCP art-425
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430
crit bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys art-431
high Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised art-432
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high TeamPCP deploys CanisterWorm on NPM following Trivy compromise art-445
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
high Glassworm Strikes Popular React Native Phone Number Packages art-466
crit Sednit reloaded: Back in the trenches art-477
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
high The Prescriptive Path to Operationalizing AI Security art-581
crit DynoWiper update: Technical analysis and attribution art-590
med Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan art-593
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
crit PlushDaemon compromises network devices for adversary-in-the-middle attacks art-695
high Ground zero: 5 things to do after discovering a cyberattack art-722
crit Gotta fly: Lazarus targets the UAV sector art-734
low Snyk @ RSAC 2025 art-911
crit Do not pass GO - Malicious Package Alert art-1000
crit CISA KEV: CVE-2019-11001 — Reolink Multiple IP Cameras OS Command Injection Vulnerability art-1048
high A stepping stone towards holistic application risk and compliance management of the Digital Operational Resiliency Act (DORA) art-1211
med Snyk Fetch the Flag CTF 2023 writeup: Protect The Environment art-1321
high Using insecure npm package manager defaults to steal your macOS keyboard shortcuts art-1425