Create T1568.002.yaml (#3320)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
2026-04-24 10:54:08 +03:30
parent 27e0009ab5
commit 19dec86cbb
2 changed files with 56 additions and 0 deletions
@@ -0,0 +1,34 @@
+attack_technique: T1568.002
+display_name: "Dynamic Resolution: Domain Generation Algorithms"
+atomic_tests:
+- name: DGA Simulation (Python)
+  description: |
+    Simulates Domain Generation Algorithm (DGA) traffic by generating pseudo-random domains based on the current date and querying them using dig. 
+    This is designed to trigger DNS analytics and NGIDS.
+  supported_platforms:
+  - linux
+  input_arguments:
+    python_script_path:
+      description: Full path to the DGA python script
+      type: string
+      default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      #{python_script_path} must exist on system.
+    prereq_command: |
+      if [ -f "#{python_script_path}" ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      mkdir -p "$(dirname "#{python_script_path}")"
+      curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
+  - description: |
+      Python 3 must be installed to run the script.
+    prereq_command: |
+      which python3
+    get_prereq_command: |
+      sudo apt-get update && sudo apt-get install -y python3
+  executor:
+    command: |
+      python3 "#{python_script_path}"
+    name: bash
+    elevation_required: false
@@ -0,0 +1,22 @@
+import datetime
+import random
+import string
+import subprocess
+import time
+
+TLDs = ['.com', '.net', '.org', '.ru', '.biz']
+
+def generate_domain(seed):
+  random.seed(seed)
+  length = random.randint(10, 15)
+  name = ''.join(random.choice(string.ascii_lowercase) for _ in range(length))
+  return name + random.choice(TLDs)
+
+if __name__ == "__main__":
+  today = datetime.date.today().strftime('%Y%m%d')
+  print('[*] DGA cycle seed:', today)
+  for i in range(10):
+    domain = generate_domain(today + str(i))
+    print('[+] Querying:', domain)
+    subprocess.run(['dig', '+short', domain], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+    time.sleep(2)