{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dga/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["dga","command-and-control","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the compromised host. This malware contains a DGA.\u003c/li\u003e\n\u003cli\u003eThe malware uses the DGA to generate a list of potential domain names.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates DNS requests to resolve the generated domain names.\u003c/li\u003e\n\u003cli\u003eThe DNS requests are sent to internal or external DNS servers.\u003c/li\u003e\n\u003cli\u003eThe machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.\u003c/li\u003e\n\u003cli\u003eIf the anomaly score exceeds the threshold (70), an alert is triggered.\u003c/li\u003e\n\u003cli\u003eThe malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the DGA Detection integration is installed and properly configured, including the machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e (references: \u003ca href=\"https://docs.elastic.co/en/integrations/dga\"\u003eElastic DGA Detection documentation\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eprebuilt ML jobs\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eVerify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e, \u003ca href=\"https://docs.elastic.co/integrations/network_traffic\"\u003eNetwork Packet Capture\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html\"\u003ePacketbeat\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.\u003c/li\u003e\n\u003cli\u003eReview and implement the triage and analysis steps outlined in the rule\u0026rsquo;s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-dga-activity/","summary":"A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.","title":"Potential DGA Activity Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-dga-activity/"}],"language":"en","title":"CraftedSignal Threat Feed — Dga","version":"https://jsonfeed.org/version/1.1"}