ID | Name |
---|---|
T1568.001 | Fast Flux DNS |
T1568.002 | Domain Generation Algorithms |
T1568.003 | DNS Calculation |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]
DGAs can take the form of apparently random or "gibberish" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]
Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]
ID | Name | Description |
---|---|---|
G0096 | APT41 | |
S0456 | Aria-body |
Aria-body has the ability to use a DGA for C2 communications.[9] |
S0373 | Astaroth | |
S0534 | Bazar |
Bazar can implement DGA using the current date as a seed variable.[11] |
S0360 | BONDUPDATER |
BONDUPDATER uses a DGA to communicate with command and control servers.[12] |
S0222 | CCBkdr |
CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.[4] |
S0023 | CHOPSTICK |
CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[7] |
S0608 | Conficker |
Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[13][14] |
S0673 | DarkWatchman |
DarkWatchman has used a DGA to generate a domain name for C2.[15] |
S0600 | Doki |
Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.[16] |
S0377 | Ebury |
Ebury has used a DGA to generate a domain name for C2.[17][18] |
S0531 | Grandoreiro |
Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.[19][20] |
S1015 | Milan |
Milan can use hardcoded domains as an input for domain generation algorithms.[21] |
S0051 | MiniDuke |
MiniDuke can use DGA to generate new Twitter URLs for C2.[22] |
S0508 | ngrok |
ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[23] |
S0150 | POSHSPY |
POSHSPY uses a DGA to derive command and control URLs from a word list.[6] |
S0650 | QakBot |
QakBot can use domain generation algorithms in C2 communication.[24] |
S0596 | ShadowPad |
ShadowPad uses a DGA that is based on the day of the month for C2 servers.[25][26][8] |
S1019 | Shark |
Shark can send DNS C2 communications using a unique domain generation algorithm.[27][21] |
S0615 | SombRAT |
SombRAT can use a custom DGA to generate a subdomain for C2.[28] |
G0127 | TA551 |
TA551 has used a DGA to generate URLs from executed macros.[29][30] |
S0386 | Ursnif |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.[1][32] Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.[5] Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. |
M1021 | Restrict Web-Based Content |
In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Traffic Flow |
Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more. [33] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA. [34] Another approach is to use deep learning to classify domains as DGA-generated[35]] |