top of page
Search

DGA Malware Detection

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 9
  • 2 min read

Summary:

The document is an email chain discussing a Gartner MQ Dry Run event being prepared by Tamir Mitelman from HPE. It involves a demo showcasing DGA Malware Detection and DNS Analysis using two altered real-world scenarios. The demonstration includes visualizations such as time series charts, top DNS domains/hosts, detailed analysis of specific hosts (10.15.100.117 & cdqwwkndatvt.info), horizontal bar visualizations of communication patterns, and a search for related user accounts post-infection on other affected hosts within the network. The event files include placeholders as attachments, along with a PowerPoint presentation to provide context for the demo scenario.

Details:

This email chain discusses a demo for a Gartner MQ Dry Run event being prepared by Tamir Mitelman from HPE. He has created two event files to demonstrate an Investigate scenario involving DGA Malware Detection and DNS Analysis. The events are based on real scenarios but have been altered to focus on specific alerts, visualizations, and suspicious activities within the organization. The demo includes:

  • A time series chart showing 'DGA Malware Detected' for both a single host (10.15.100.117) and a general alert monitoring DGA events across the organization in a specific time window.

  • Top DNS domains and hosts, highlighting the suspicious activity of infected hosts communicating with multiple internal hosts via DNS.

  • Detailed analysis of two hosts: 10.15.100.117 and cdqwwkndatvt.info, showing extensive SSH communication to/from other internal hosts, particularly mentioning ports 6129 (outgoing), 445, and 139 which are used by malware for propagation.

  • Horizontal bar visualizations of all destinations a suspicious host communicates with over the last 24 hours, highlighting potential lateral movement patterns among internal hosts.

  • A search for all communication from 10.15.100.117 to find related user accounts and further investigation into their activity on other affected hosts within the network.

The email includes attachments of the event files (with placeholders) and a PowerPoint presentation with screenshots demonstrating the scenario, aimed at providing context for the demo.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page