Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DE.AE-02.01 | Event analysis and detection | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
This diagnostic statement protects against Domain Generation Algorithms through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-07 | Continuous Monitoring | mitigates | T1568.002 | Domain Generation Algorithms | |
SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | mitigates | T1568.002 | Domain Generation Algorithms | |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | mitigates | T1568.002 | Domain Generation Algorithms | |
SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | mitigates | T1568.002 | Domain Generation Algorithms | |
SI-03 | Malicious Code Protection | mitigates | T1568.002 | Domain Generation Algorithms | |
SI-04 | System Monitoring | mitigates | T1568.002 | Domain Generation Algorithms | |
AC-04 | Information Flow Enforcement | mitigates | T1568.002 | Domain Generation Algorithms | |
SC-07 | Boundary Protection | mitigates | T1568.002 | Domain Generation Algorithms |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_dns | Alerts for DNS | technique_scores | T1568.002 | Domain Generation Algorithms |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
azure_dns_analytics | Azure DNS Analytics | technique_scores | T1568.002 | Domain Generation Algorithms |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1568.002 | Domain Generation Algorithms |
Comments
GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.
Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS
References
|