This filter detects a NOERROR response to a DNS query for a hostname that appears
to be using a generic or unknown DGA. The NOERROR response means that the queried
domain
is valid and exists. This could indicate an active attempt by a malware campaign
to
exfiltrate data or otherwise control a compromised host. However, due to the nature
of
this detection method, this filter is prone to false positives in certain situations
as
outlined below.
- What It Does
- This filter is effective at detecting hosts that are compromised by an unknown family of malware and are involved in active communication with a C&C server. It can be used to find and remediate malware infections.
- What It Doesn't Do
- This filter will not prevent a host from becoming compromised in the first place. This detection method is post-infection only. It should also be noted that this filter only detects the DNS portion of communication with a C&C server. Other parts of the exploitation chain such as HTTP, FTP, or other protocols are out-of-scope for this filter.
- Deployment Recommendations
- There is some risk of false positives as well as performance impacts in DNS-heavy environments. Because of this, the filter is not enabled by default, and it is recommended that you fully vet this filter in your particular environment before enabling it. This filter is most effective when deployed with Trace enabled so that you can examine the hostname that was being queried and decide on further actions from there.
- Examples
- True positives:
- tvjky3xzsmbxvpqgd.com
- zbjvpmtovtusimgw.com
- mzqdx.com
- False positives:
- Acronymized domains, especially Chinese acronyms, such as sxbznqp.com