ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1483

术语表: /attack/glossary

域生成算法

攻击者可以利用域生成算法(DGA)来动态标识命令和控制流量的目的地,而不是依赖于静态IP地址或域的列表。这样做的好处是,防御者很难阻止,跟踪或接管命令和控制通道,因为恶意软件可能会检查成千上万个域,以检查指令。

DGA通过生成每个字母来构造域名时,可以采取看似随机或“乱码”字符串的形式(例如:istgmxdejdnxuyla.ru)。另外,某些DGA通过将单词(而不是字母)串联在一起来使用整个单词作为单位(例如:cityjulydish.net)。许多DGA基于时间,在每个时间段(每小时,每天,每月等)生成一个不同的域。其他一些也包含种子值,这使得防御者很难预测未来的领域。

攻击者可能出于后备渠道(T1008)的目的而使用DGA 。当失去与主要命令和控制服务器的联系时,恶意软件可能会使用DGA作为重新建立命令和控制的手段。

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

DGAs can take the form of apparently random or "gibberish" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.

Adversaries may use DGAs for the purpose of Fallback Channels(T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.

标签

ID编号: T1483

策略:命令与控制

平台: Linux,macOS,Windows

所需权限: user

数据源: 网络的过程使用,数据包捕获,网络设备日志,Netflow/Enclave Netflow,DNS记录

缓解措施

减轻 描述
网络入侵防护 (M1031) 使用网络签名识别特定攻击者恶意软件流量的网络入侵检测和防御系统可用于缓解网络级别的活动。恶意软件研究人员可以对使用DGA的恶意软件变体进行逆向工程,并确定该恶意软件将尝试联系的未来域,但这是一项耗费时间和资源的工作。恶意软件也越来越多地结合了对于每个实例唯一的种子值,然后需要确定这些值以提取将来生成的域。在某些情况下,可以从DNS流量中提取特定样本使用的种子。即便如此,每天仍可能产生数千个可能的域。鉴于成本,这使得防御者抢先注册所有可能的C2域是不切实际的。
限制基于Web的内容(M1021) 在某些情况下,可以使用本地DNS漏洞来以降低的成本帮助防止基于DGA的命令和控制。
Mitigation Description
Network Intrusion Prevention(M1031) Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort. Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic. Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost.
Restrict Web-Based Content(M1021) In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

检测

由于不同DGA算法的数量,恶意软件家族的不断发展以及算法复杂性的提高,检测动态生成的域可能具有挑战性。有多种方法可以检测伪随机生成的域名,包括使用频率分析,马尔可夫链,熵,字典单词比例,元音与其他字符的比例等。CDN域可能会由于其域名格式而触发这些检测。除了基于名称检测DGA域外,另一种用于检测可疑域的更通用方法是检查最近注册的名称或访问很少的域。

已经开发了用于检测DGA域的机器学习方法,并在应用程序中取得了成功。一种方法是使用N-Gram方法来确定域名中使用的字符串的随机性得分。如果随机性分数高,并且域未列入白名单(CDN等),则可以确定域是否与合法主机或DGA相关。)另一种方法是使用深度学习将域分类为DGA生成的域。

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.Another approach is to use deep learning to classify domains as DGA-generated