diff --git a/atomics/T1568.002/T1568.002.yaml b/atomics/T1568.002/T1568.002.yaml new file mode 100644 index 00000000..cfa7db6c --- /dev/null +++ b/atomics/T1568.002/T1568.002.yaml @@ -0,0 +1,34 @@ +attack_technique: T1568.002 +display_name: "Dynamic Resolution: Domain Generation Algorithms" +atomic_tests: +- name: DGA Simulation (Python) + description: | + Simulates Domain Generation Algorithm (DGA) traffic by generating pseudo-random domains based on the current date and querying them using dig. + This is designed to trigger DNS analytics and NGIDS. + supported_platforms: + - linux + input_arguments: + python_script_path: + description: Full path to the DGA python script + type: string + default: PathToAtomicsFolder/T1568.002/src/T1568.002.py + dependency_executor_name: bash + dependencies: + - description: | + #{python_script_path} must exist on system. + prereq_command: | + if [ -f "#{python_script_path}" ]; then exit 0; else exit 1; fi + get_prereq_command: | + mkdir -p "$(dirname "#{python_script_path}")" + curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}" + - description: | + Python 3 must be installed to run the script. + prereq_command: | + which python3 + get_prereq_command: | + sudo apt-get update && sudo apt-get install -y python3 + executor: + command: | + python3 "#{python_script_path}" + name: bash + elevation_required: false diff --git a/atomics/T1568.002/src/T1568.002.py b/atomics/T1568.002/src/T1568.002.py new file mode 100644 index 00000000..6bc3ae6b --- /dev/null +++ b/atomics/T1568.002/src/T1568.002.py @@ -0,0 +1,22 @@ +import datetime +import random +import string +import subprocess +import time + +TLDs = ['.com', '.net', '.org', '.ru', '.biz'] + +def generate_domain(seed): + random.seed(seed) + length = random.randint(10, 15) + name = ''.join(random.choice(string.ascii_lowercase) for _ in range(length)) + return name + random.choice(TLDs) + +if __name__ == "__main__": + today = datetime.date.today().strftime('%Y%m%d') + print('[*] DGA cycle seed:', today) + for i in range(10): + domain = generate_domain(today + str(i)) + print('[+] Querying:', domain) + subprocess.run(['dig', '+short', domain], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + time.sleep(2)