Dictionary DGA detection via Supervised Classification

[fetterm4n]

Hunt Type 🔥

{"Alchemy (Model-Assisted)"=>"Hunts driven by models like anomaly detection or machine learning."}

HEARTH Crafter

fetterm4n

Hunt Idea / Hypothesis

Dictionary-based DGAs are a rare threat that require a model-based approach. These domains are algorithmically generated based on a dictionary of source words. Like traditional Domain Generation Algorithms, machine learning models can distinguish DGA / Non-DGA domains by training on sample data to learn on lexical features separating the classes.

MITRE ATT&CK Tactic

Command and Control

Implementation Notes

• Deploying a model-based detection against a high-volume logging source like web traffic can be costly and resource-intensive. For this task, I recommend a retroactive hunt using a deduplicated list of domains, enabling a quick and efficient M-ATH method for finding threats, or at least reducing our dataset for hunting.
• This is an evolving research area. Efficacy of a model may be heavily tied to the timeliness of the data, or the inclusion of the target malware family in the underlying training set.
• Sample data and pre-trained models are available for this hunt, however it is also possible to generate new data by modifying the reverse-engineered DGA algorithms here.
• False positives may be caused by Content Delivery Networks, Ad-tracking mechanisms

Search Tags

CommandandControl, #T1568.002, #DGA

Value and Impact

• An incident discovered via this method is likely a high severity / high impact finding.

Knowledge Base

• MITRE ATT&CK Dynamic Resolution: DGA
• Model-Assisted Threat Hunting for Dictionary DGAs
• Splunk SURGe Model-Assisted Threat Hunting Implementation

[DrTerdnugget]

Submission approved! Nice work! Don't forget to make a pull request to add your name to the list to get your official Contributor status on the repo here: https://github.com/triw0lf/HEARTH/blob/main/Keepers/Contributors.md