Potential DGA Activity Detected by Machine Learning

This brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, dga_high_sum_probability_ea, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.

Attack Chain

1. The attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.
2. Malware is deployed on the compromised host. This malware contains a DGA.
3. The malware uses the DGA to generate a list of potential domain names.
4. The compromised host initiates DNS requests to resolve the generated domain names.
5. The DNS requests are sent to internal or external DNS servers.
6. The machine learning job dga_high_sum_probability_ea analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.
7. If the anomaly score exceeds the threshold (70), an alert is triggered.
8. The malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.

Impact

The successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.

Recommendation

• Ensure the DGA Detection integration is installed and properly configured, including the machine learning job dga_high_sum_probability_ea (references: Elastic DGA Detection documentation, prebuilt ML jobs).
• Verify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: Elastic Defend, Network Packet Capture, Packetbeat).
• Tune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.
• Review and implement the triage and analysis steps outlined in the rule’s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.