Approaches to detecting Domain Generation Algorithms (DGAs) |
Abstract With the ease of implementation for Malware developers and the difficulty in non-signature based detection, Domain Generation Algorithms (DGAs, ATT&CK ID: T1483) are an attractive technique used to facilitate C2 behaviors. This talk aims to provide a short introduction into the world of DGAs (both malicious and benign) and will present a clustered view of popular DGA trends seen in the wild. The talk will then evaluate a variety of detection techniques on these clusters with comments made about the overall efficacy, signal-to-noise ration, relative difficulty and where possible, how red teamers could bypass these detections. Detection techniques will include but are not limited to: * NXDomain Frequency Analysis * Shannon Entropy * N-Gram Analysis Participants will walk away with an understanding of DGAs, why they are difficult in detecting and some new ideas about detections + detection bypasses. Speaker Bio: Patrick is a Security Specialist at Accenture Australia where he specialises in Threat Hunting, Automation and Detection. Patrick is a big fan of all things Python. |