Esc
Domain Generation Algorithms - T1568.002
(ATT&CK® Technique)
Definition
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1568002["Domain Generation Algorithms"] --> |produces| OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"]; class T1568002 OffensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";
click T1568002 href "/offensive-technique/attack/T1568.002/"; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; DNSTrafficAnalysis["DNS Traffic Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSTrafficAnalysis["DNS Traffic Analysis"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class DNSTrafficAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSTrafficAnalysis href "/technique/d3f:DNSTrafficAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1568002["Domain Generation Algorithms"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DNSAllowlisting["DNS Allowlisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSAllowlisting["DNS Allowlisting"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class DNSAllowlisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSAllowlisting href "/technique/d3f:DNSAllowlisting"; DNSDenylisting["DNS Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSDenylisting["DNS Denylisting"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class DNSDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSDenylisting href "/technique/d3f:DNSDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class ForwardResolutionDomainDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ForwardResolutionDomainDenylisting href "/technique/d3f:ForwardResolutionDomainDenylisting"; ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class ReverseResolutionIPDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ReverseResolutionIPDenylisting href "/technique/d3f:ReverseResolutionIPDenylisting"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1568002["Domain Generation Algorithms"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";