Weaponizing DNS TXT Records in Multi-Stage Fileless Attacks
Detection and Response Analyst @ Palo Alto Networks Unit 42
View Profile
Talk Abstract
DNS is widely treated as a passive transport layer in security monitoring. This talk dissects how attackers are weaponizing DNS TXT records as part of the execution layer in modern fileless intrusion chains.
Using a real-world ClickFix-style attack, we examine how user-driven PowerShell execution retrieves and executes payloads directly from DNS TXT responses, transitioning from social engineering to in-memory botnet agent deployment without relying on traditional payload delivery mechanisms.
This approach breaks common defensive and analysis assumptions that DNS is “just data” and that TXT records are benign, shifting execution into trusted and under-inspected layers.
The session highlights how this technique operates across DNS, endpoint, and network boundaries, and what this means for detection and hunting when execution is no longer confined to conventional stages.
About the Speaker
Saide Sheikh
Detection and Response Analyst @ Palo Alto Networks Unit 42
Saide Sheikh is a Detection and Response Analyst focused on understanding how attacks unfold in the real world, not just how they appear at the point of detection. Their experience spans endpoint, network, identity, and cloud investigations, with a background in internal SOC operations and security engineering across incident response, monitoring, and detection development. They have a strong interest in operating system behavior, execution flow, and the ways trusted components can be abused.
Their investigation style centers on going beyond alerts by connecting signals, adding context, and reconstructing complete attack chains. Outside of work, they enjoy traveling, meeting people from different cultures, and chasing the occasional adrenaline rush.
View Profile