easyLOG FORENSICS100 pts

Silent Channel

Your SOC team has detected unusual DNS traffic originating from a single internal workstation. A raw DNS query log has been captured from the network gateway. Your job: figure out what data is being sent out — and how.

— scenario

Incident report #2026-001

Alert triggered at 09:31 UTC by anomaly detection rule DNS-HEX-SUBDOMAIN.
Source: 192.168.1.42 (WKSTN-FINANCE-04)
Duration: ~12 minutes of sustained unusual DNS activity.

The workstation belongs to the finance department and should only be accessing internal ERP systems and standard SaaS tools. No external file transfers were authorised.

Analyze the attached DNS query log. Identify the exfiltration channel, extract the data being sent, and submit the flag.

— challenge file

dns-queries.log14 KB

— write-up

The full write-up explains the DNS exfiltration technique, how to detect it with Wireshark / grep, and how FoilGuard defends against newly-registered domains used in this pattern.

reveal write-up (spoilers)

Step 1 — spot the anomaly

Filter the log to show only queries from 192.168.1.42. Of those, the vast majority go to *.company.local or known SaaS hosts. Four queries stand out: they all go to subdomains of exfil.badactor.cc, a domain you wouldn't expect to see in any normal business log.

Step 2 — collect the subdomain labels

Each subdomain label follows the pattern <hex-chunk>.<sequence-number>.exfil.badactor.cc. Sort by sequence number and extract the hex chunks in order:

1: 464f494c7b6330
2: 763372745f6368
3: 346e6e336c5f64
4: 6e735f37787d

Step 3 — decode

Concatenate: 464f494c7b6330763372745f6368346e6e336c5f646e735f37787d

Decode as ASCII:

python3 -c "print(bytes.fromhex('464f494c7b6330763372745f6368346e6e336c5f646e735f37787d').decode())"

Result: FOIL{c0v3rt_ch4nn3l_dns_7x}

Why this works as an attack

DNS is almost never blocked outbound and is rarely inspected in depth. By encoding data into subdomain labels (max 63 chars each), an attacker can exfiltrate data as long as they control a domain that resolves DNS queries — the "answers" don't even matter, because the data rides in the queries themselves.

Detection signals: unusual external domains receiving queries from a single internal host, hex-like subdomain labels, sequential numeric labels, high query rate to an otherwise unknown TLD.