Domain Generation Algorithms

Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.[1]

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

ID: T1520
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 23 September 2019
Last Modified: 23 September 2019

Procedure Examples

ID Name Description
S0485 Mandrake

Mandrake has used domain generation algorithms.[2]

S0411 Rotexy

Rotexy procedurally generates subdomains for command and control communication.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[3] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

References