⠙⠁⠞⠁ ⠃⠕⠥⠝⠉⠊⠝⠛
When Dave and I originally published the article on the 5th of November 2023, we assumed that people would 'get it' and it would stimulate conversations about using this idea whether it was in headers, email addresses, link previews, resource fetches, etc. We thought it would blow up, and while some people really got it, we recognised that the learning curve requires a certain amount of understanding of how the internet works, and how not only looking up a host can be abused but how to do it in a way that is out of reach from enterprise-grade defences and threat intelligence.
We let the post simmer for a while; the offensive tier of Infosec appreciated the method, but the defensive side has mostly avoided it. Thus, the goal here is to draw more attention in more detail to find the right way to say to people, 'you need to recognise this.'
So far, vendor responses have been disappointing, and that’s not to say there isn’t an answer, but the ones we’ve received seem defeatist. If we’re hitting the roof on 'domain-based trusts', then it’s dark times for defenders as this method is available in many places, as you’ll learn by exploring the site or joining the chatter.
We want this method to be acknowledged as an exfiltration method that has become normalised, because of how difficult it is to defend against. We think this will happen through offensive demonstrations, C2 comms, exfil tooling, and adoption.
So, to all you Red Teamers and penetration testers, you owe it to your clients to use data bouncing so they can pressure the right people to force change. The tooling that our friends have done so far can be found in the tools section, and if you stay close, there will be C2 capabilities in the coming future.