Dynamic Resolution: Domain Generation Algorithms

Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.[1]

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.

ID: T1637.001
Sub-technique of:  T1637
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.1
Created: 05 April 2022
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S1067 FluBot

FluBot can use Domain Generation Algorithms to connect to the C2 server.[2]

S0485 Mandrake

Mandrake has used domain generation algorithms.[3]

S0411 Rotexy

Rotexy procedurally generates subdomains for command and control communication.[1]

S1055 SharkBot

SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[5] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[6] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

References