Description
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Platforms
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason D
Restrict Web-Based ContentM1021
In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019) |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secur... |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has the ability to use a DGA for C2 communications.(Citation: CheckPoint Naikon May 2020) |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) use a DGA to generate a C2 domains.(Citation: ESET MirrorFace 2025) |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use domain generation algorithms in C2 communication.(Citation: Trend Micro Qakbot May 2020) |
| S0600 | Doki | Malware | [Doki](https://attack.mitre.org/software/S0600) has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.(Citatio... |
| S0051 | MiniDuke | Malware | [MiniDuke](https://attack.mitre.org/software/S0051) can use DGA to generate new Twitter URLs for C2.(Citation: ESET Dukes October 2019) |
| S0150 | POSHSPY | Malware | [POSHSPY](https://attack.mitre.org/software/S0150) uses a DGA to derive command and control URLs from a word list.(Citation: FireEye POSHSPY April 201... |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) has used a DGA to generate a domain name for C2.(Citation: Prevailion DarkWatchman 2021) |
| S0360 | BONDUPDATER | Malware | [BONDUPDATER](https://attack.mitre.org/software/S0360) uses a DGA to communicate with command and control servers.(Citation: FireEye APT34 Dec 2017) |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) has used dynamic domain generation algorithms in C2.(Citation: ESET HiddenFace 2024)(Citation: T... |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) has used a DGA that seeds with the current UTC victim system date to generate domains.(Citation: ... |
| S0023 | CHOPSTICK | Malware | [CHOPSTICK](https://attack.mitre.org/software/S0023) can use a DGA for [Fallback Channels](https://attack.mitre.org/techniques/T1008), domains are gen... |
| S0508 | ngrok | Tool | [ngrok](https://attack.mitre.org/software/S0508) can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.(Cita... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used a DGA to generate domain names for C2.(Citation: ProofPoint Ursnif Aug 2016) |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) can use hardcoded domains as an input for domain generation algorithms.(Citation: Accenture Lyceum Ta... |
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) can use a custom DGA to generate a subdomain for C2.(Citation: BlackBerry CostaRicto November 2020) |
| S0222 | CCBkdr | Malware | [CCBkdr](https://attack.mitre.org/software/S0222) can use a DGA for [Fallback Channels](https://attack.mitre.org/techniques/T1008) if communications w... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key t... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) uses a DGA that is based on the day of the month for C2 servers.(Citation: Securelist ShadowPad A... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) has used a DGA in C2 communications.(Citation: Cybereason Astaroth Feb 2019) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can implement DGA using the current date as a seed variable.(Citation: Cybereason Bazar July 2020) |
References
- Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.
- Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.
- Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
- Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.
- Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.
- Scarfo, A. (2016, October 10). Domain Generation Algorithms – Why so effective?. Retrieved February 18, 2019.
- Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.
- Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.
Frequently Asked Questions
What is T1568.002 (Domain Generation Algorithms)?
T1568.002 is a MITRE ATT&CK technique named 'Domain Generation Algorithms'. It belongs to the Command and Control tactic(s). Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or dom...
How can T1568.002 be detected?
Detection of T1568.002 (Domain Generation Algorithms) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1568.002?
There are 2 documented mitigations for T1568.002. Key mitigations include: Network Intrusion Prevention, Restrict Web-Based Content.
Which threat groups use T1568.002?
Known threat groups using T1568.002 include: APT41, TA551.