The sub-techniques beta is now live! Read the release blog post for more info.

Domain Generation Algorithms (DGA)

****Deprecation Warning****

The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. [1] [2]

ID: T1323
Tactic: Adversary Opsec
Version: 2.0
Created: 14 December 2017
Last Modified: 17 April 2019


Detectable by Common Defenses (Yes/No/Partial): Partial

Explanation: It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.


  1. Damballa Day Before Zero Blog. (2012, March 5). Domain Generation Algorithms (DGA) in Stealthy Malware. Retrieved March 6, 2017.
  1. Damballa. (n.d.). DGAs in the Hands of Cyber-Criminals Examining The State Of The Art In Malware Evasion Techniques. Retrieved March 6, 2017.