This filter detects an HTTP request to a web server for a host name that appears
to be using a generic or unknown DGA.
- What It Does
- This filter is effective at detecting hosts that may be compromised by malware and are involved in active communication with a C&C server. It can be used to find and remediate malware infections.
- What It Doesn't Do
- This filter will not prevent a host from becoming compromised in the first place. This detection method is post-infection only. It should also be noted that this filter only detects the HTTP portion of communication with a C&C server. Other parts of the exploitation chain such as DNS, FTP, or other protocols are out-of-scope for this filter.
- Deployment Recommendations
- There is some risk of false positives as well as performance impacts in HTTP-heavy environments. Because of this, the filter is not enabled by default, and it is recommended that you fully vet this filter in your particular environment before enabling it. This filter is most effective when deployed with Trace enabled so that you can examine the host name that was being queried and decide on further actions from there.
- Examples
- True positive: Host: aadcd15734d97346bb85f545dc8ca03e7e.com