ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary




Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.


ID编号: T1520

战术类型: 事后访问设备

策略: 命令与控制

平台: Android,iOS


名称 描述
Rotexy(S0411) Rotexy(S0411) 程序性地生成用于命令和控制通信的子域。
Name Description
Rotexy(S0411) Rotexy(S0411) procedurally generates subdomains for command and control communication.



This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


由于不同DGA算法的数量,恶意软件家族的不断发展以及算法复杂性的提高,检测动态生成的域可能具有挑战性。有多种方法可以检测伪随机生成的域名,包括使用频率分析,马尔可夫链,熵,字典单词比例,元音与其他字符的比例等。 CDN域可能会由于其域名格式而触发这些检测。除了基于名称检测DGA域外,另一种用于检测可疑域的更通用方法是检查最近注册的名称或访问很少的域。

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[2] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.