DET0669 Detection of Domain Generation Algorithms

Technique Detected: T1637.001 (Domain Generation Algorithms)

Analytics

Android

AN1765

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Log Sources

Mutable Elements

iOS

AN1766

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Log Sources

Mutable Elements