Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.[1]
DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
| ID | Name | Description |
|---|---|---|
| S1067 | FluBot |
FluBot can use Domain Generation Algorithms to connect to the C2 server.[2] |
| S0485 | Mandrake | |
| S0411 | Rotexy |
Rotexy procedurally generates subdomains for command and control communication.[1] |
| S1055 | SharkBot |
SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.[4] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Network Communication |
Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[5] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[6] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. |