EXPLORE

← Back to Explore

T1568.002

Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation:...

LinuxmacOSWindowsESXi

10

Detections

2

Sources

2

Threat Actors

BY SOURCE

8elastic2sigma

PROCEDURES (7)

Dns2 detections

Auto-extracted: 2 detections for dns

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Beacon2 detections

Auto-extracted: 2 detections for beacon

C21 detections

Auto-extracted: 1 detections for c2

Dns1 detections

Auto-extracted: 1 detections for dns

C21 detections

Auto-extracted: 1 detections for c2

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (2)

DETECTIONS (10)

Cobalt Strike Command and Control Beacon

Communication To Ngrok Tunneling Service - Linux

Communication To Ngrok Tunneling Service Initiated

Connection to Commonly Abused Web Services

Halfbaked Command and Control Beacon

Machine Learning Detected a DNS Request Predicted to be a DGA Domain

Machine Learning Detected a DNS Request With a High DGA Probability Score

Machine Learning Detected DGA activity using a known SUNBURST DNS domain

Possible FIN7 DGA Command and Control Behavior

Potential DGA Activity