Skip to main content

Multiple requests for DGA domains indicating infection

ID:dga_volume
Data type:DNS, HTTP
Severity:
High
MITRE ATT&CK:TA0011:T1568.002

Description

AlphaSOC detected multiple DNS queries for domain names exhibiting characteristics consistent with a Domain Generation Algorithm (DGA). DGAs are used by malware to dynamically create large numbers of domain names as rendezvous points for command and control (C2) servers. This technique helps malware evade detection and blocking by security controls. The presence of DGA domain requests may indicate an active malware infection on the network.

Impact

DGA-based malware can establish persistent C2 communications, allowing attackers to exfiltrate data, download additional payloads, or issue commands to compromised systems. This infection can lead to data breaches, system disruption, and potential spread to other network assets. The dynamic nature of DGAs makes it difficult for traditional security measures to block all malicious domains.

Severity

SeverityCondition
High
Multiple requests for DGA domains

Investigation and Remediation

Analyze the affected system for malware using updated antivirus and anti-malware tools. Investigate network logs to identify the extent of communication with DGA domains. Perform a thorough malware removal and system cleanup. Update all software and implement additional security controls to prevent reinfection. Consider resetting user credentials if compromise is confirmed.

Known False Positives

  • Some legitimate services use algorithms to generate subdomains for load balancing or content delivery
  • Web browsers may perform DNS requests to random domains to determine if the user is behind a captive portal (such as a hotel)
  • Antivirus software may generate requests to random-looking domains
  • Misconfigured or malfunctioning applications may generate requests to non-existent domains