Approaches to detecting Domain Generation Algorithms (DGAs)
Presenter: Patrick Abraham
Format: 30 mins
Location: The Studio
With the ease of implementation for Malware developers and the difficulty in non-signature based detection, Domain Generation Algorithms (DGAs, ATT&CK ID: T1483) are an attractive technique used to facilitate C2 behaviors.
This talk aims to provide a short introduction into the world of DGAs (both malicious and benign) and will present a clustered view of popular DGA trends seen in the wild. The talk will then evaluate a variety of detection techniques on these clusters with comments made about the overall efficacy, signal-to-noise ration, relative difficulty and where possible, how red teamers could bypass these detections. Detection techniques will include but are not limited to:
* NXDomain Frequency Analysis
* Shannon Entropy
* N-Gram Analysis
Participants will walk away with an understanding of DGAs, why they are difficult in detecting and some new ideas about detections + detection bypasses.