dga_suspected
Explanation
This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with malware using a Domain Generation Algorithm (DGA). DGAs are a technique used by attackers to evade domain blocking or law enforcement take-downs of malware command and control infrastructure. The malware calls out to a different set of seemingly random domains every day. While the attacker might only register one or two domains from each days pool, malware using a DGA will likely make hundreds of requests, resulting in a large number of failed requests with a response type of "NXDOMAIN".
Another scenario where this NDM might fire is an attempt by an attacker to enumerate valid hostnames within an external domain by brute force. Attackers might perform this sort of reconnaissance in order to identify hosts within the domain to target.
What to Look For
Examine the DNS traffic associated with the alarm. Investigate the source of these requests for malware infection or unauthorized software, and check DNS logs for any other hosts making DNS lookup requests for the offending domains.
Related MITRE ATT&CK Categories
Command and Control, Tactic TA0011 - Enterprise
Updated about 2 months ago