Kernel-Enforced DNS Exfiltration Security
Black Hat USA 2025 · Day 1 · Briefings
DNS remains the preferred command-and-control channel for 85% of advanced persistent threats because it bypasses firewalls, evades passive detection, and traverses nearly every network. Vedang Parasnis presents a kernel-enforced EDR architecture using eBPF to hunt DNS C2 and tunneling at ring zero — where no user-space evasion can hide — combined with a quantized deep learning model for data obfuscation detection and a cloud deployment architecture that dynamically blacklists domains in real time. ---
AI review
Solid eBPF-for-DNS-C2 architecture with a working demo against Sliver. The ideas are sound, the kernel hooks are legitimate, but this is a graduate thesis more than a mature system — and the ML component is a weak link dressed up in deep learning clothes.