T1568.002

Domain Generation Algorithms

Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.

Microsoft Sentinel / Defender

kusto

// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy Analysis
// Requires: Azure DNS Analytics solution (DnsEvents table) or DNS server logs ingested via AMA/CEF
// Tune NXDomainThreshold and UniqueDomainsThreshold against your environment's DNS failure baseline
let TimeWindow = 1h;
let NXDomainThreshold = 20;
let UniqueDomainsThreshold = 15;
DnsEvents
| where TimeGenerated > ago(TimeWindow)
| where ResultCode == 3  // NXDOMAIN — query returned 'no such domain'
| extend Name = tolower(Name)
| extend DomainParts = split(Name, '.')
| extend SLD = tostring(DomainParts[array_length(DomainParts) - 2])
| where strlen(SLD) >= 7
| extend DomainLength = strlen(SLD)
// Vowel ratio: legitimate human-readable domains average 35-45% vowels
// DGA random-character strings typically have <20% vowels
| extend VowelCount = countof(SLD, 'a') + countof(SLD, 'e') + countof(SLD, 'i') + countof(SLD, 'o') + countof(SLD, 'u')
| extend VowelRatio = todouble(VowelCount) / todouble(DomainLength)
// Digit ratio: many DGAs embed digits; legitimate SLDs rarely exceed 30% digits
| extend DigitCount = countof(SLD, '0') + countof(SLD, '1') + countof(SLD, '2') + countof(SLD, '3') + countof(SLD, '4') + countof(SLD, '5') + countof(SLD, '6') + countof(SLD, '7') + countof(SLD, '8') + countof(SLD, '9')
| extend DigitRatio = todouble(DigitCount) / todouble(DomainLength)
| extend IsLikelyDGA = iff(
    VowelRatio < 0.20     // Very few vowels — algorithmically-generated random string
    or DigitRatio > 0.35  // High digit density — e.g., Conficker, QakBot variants
    or DomainLength > 16, // Abnormally long SLD uncommon in legitimate domains
    1, 0)
| summarize
    TotalNXDomain   = count(),
    UniqueNXDomains = dcount(Name),
    LikelyDGACount  = countif(IsLikelyDGA == 1),
    SampleDomains   = make_set(Name, 10),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
    by Computer, ClientIP
| where TotalNXDomain >= NXDomainThreshold and UniqueNXDomains >= UniqueDomainsThreshold
| extend DurationMinutes = iff(
    datetime_diff('minute', LastSeen, FirstSeen) < 1,
    todouble(1),
    todouble(datetime_diff('minute', LastSeen, FirstSeen)))
| extend QueryRate = round(todouble(UniqueNXDomains) / DurationMinutes, 2)
| extend AlertSeverity = case(
    LikelyDGACount > 10 and QueryRate > 5.0, 'Critical',
    LikelyDGACount > 5  or QueryRate > 2.0, 'High',
    'Medium')
| project
    Computer, ClientIP,
    TotalNXDomain, UniqueNXDomains, LikelyDGACount,
    QueryRate, DurationMinutes,
    AlertSeverity, SampleDomains,
    FirstSeen, LastSeen
| sort by LikelyDGACount desc, TotalNXDomain desc

high severity medium confidence

Data Sources

Network Traffic: DNS Resolution Azure DNS Analytics (DnsEvents table) DNS Server: Analytical Logs

Required Tables

DnsEvents

False Positives

Cloud infrastructure with GUID-based hostnames (Azure, AWS, GCP auto-generated resource names) performing DNS lookups that fail when services are deprovisioned or accessed cross-region
Security scanning and threat intelligence tools (Nessus, Qualys, Shodan crawlers, passive DNS enrichment pipelines) performing bulk DNS enumeration generating high NXDOMAIN rates
Content delivery networks using algorithmically-generated short-TTL subdomains with low vowel ratios — some Akamai, Cloudflare, and Fastly edge-node hostnames match entropy thresholds
Software development and CI/CD pipelines running integration tests that generate randomized ephemeral test domain names, or microservices discovery in misconfigured service meshes
Misconfigured DNS resolvers, split-horizon DNS setups, or VPN clients resolving internal domains against a public resolver — causing legitimate internal hostnames to return NXDOMAIN

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| rex field=QueryName "^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$"
| where isnotnull(sld) AND len(sld) >= 7
| eval sld=lower(sld)
| eval domain_length=len(sld)
| eval vowels=replace(sld, "[^aeiou]", "")
| eval vowel_count=len(vowels)
| eval vowel_ratio=vowel_count/domain_length
| eval digits=replace(sld, "[^0-9]", "")
| eval digit_count=len(digits)
| eval digit_ratio=digit_count/domain_length
| eval is_likely_dga=if(vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0)
| eval is_nxdomain=if(match(QueryStatus, "(?i)(no such name|nxdomain|name error|9003|9501)"), 1, 0)
| bin _time span=1h
| stats
    count as total_queries,
    sum(is_nxdomain) as nxdomain_count,
    dc(QueryName) as unique_domains,
    sum(is_likely_dga) as likely_dga_count,
    values(eval(if(is_likely_dga=1, QueryName, null()))) as dga_sample_domains
    by _time, host, User
| where total_queries >= 20 AND unique_domains >= 15
| eval query_rate=round(unique_domains / 60.0, 3)
| eval severity=case(
    likely_dga_count > 10 AND query_rate > 0.25, "Critical",
    likely_dga_count > 5 OR query_rate > 0.08, "High",
    true(), "Medium")
| table _time, host, User, total_queries, nxdomain_count, unique_domains, likely_dga_count, query_rate, severity, dga_sample_domains
| sort - likely_dga_count

high severity medium confidence

Data Sources

Network Traffic: DNS Resolution Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Cloud infrastructure agents (Azure Monitor, AWS SSM, GCP Ops Agent) performing frequent health-check DNS lookups to GUID-based endpoints that cycle in/out of DNS
Security tools performing bulk DNS resolution for threat intelligence enrichment or asset discovery — Nessus, Qualys, Carbon Black, CrowdStrike sensor DNS lookups
CDN and SaaS products with algorithmically-generated subdomain names (low vowel ratio) used for geographic load distribution — Office 365, SharePoint, and Akamai edge nodes
Development machines running automated test suites that generate random domain names for DNS mocking or service discovery testing
Endpoint browsers making speculative DNS pre-fetches for URLs in the browser history or predictive omnibar — can generate high unique-domain counts on active workstations

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  "hostname",
  COUNT(*) AS total_nxdomain,
  COUNT(DISTINCT "dns_query_name") AS unique_nx_domains,
  SUM(CASE WHEN
    /* Vowel ratio < 20% heuristic via low vowel character presence */
    (CHAR_LENGTH(REGEXP_REPLACE(LOWER("sld_label"), '[^aeiou]', '')) * 1.0 /
     NULLIF(CHAR_LENGTH("sld_label"), 0)) < 0.20
    OR
    /* Digit ratio > 35% */
    (CHAR_LENGTH(REGEXP_REPLACE("sld_label", '[^0-9]', '')) * 1.0 /
     NULLIF(CHAR_LENGTH("sld_label"), 0)) > 0.35
    OR
    /* Abnormally long SLD */
    CHAR_LENGTH("sld_label") > 16
  THEN 1 ELSE 0 END) AS likely_dga_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM (
  SELECT
    sourceip,
    "hostname",
    starttime,
    "dns_query_name",
    LOWER(
      REGEXP_REPLACE(
        REGEXP_REPLACE("dns_query_name", '^(.+\.)?([^.]+)\.[^.]+$', '\\2'),
        ' ', ''
      )
    ) AS "sld_label"
  FROM events
  WHERE
    LOGSOURCETYPEID IN (SELECT id FROM logsourcetypes WHERE name ILIKE '%DNS%')
    AND QIDNAME(qid) ILIKE '%NXDOMAIN%'
    AND starttime > NOW() - 3600000
    AND "dns_query_name" IS NOT NULL
    AND CHAR_LENGTH("dns_query_name") > 0
) subq
WHERE CHAR_LENGTH("sld_label") >= 7
GROUP BY sourceip, "hostname"
HAVING total_nxdomain >= 20
  AND unique_nx_domains >= 15
ORDER BY likely_dga_count DESC, total_nxdomain DESC

high severity medium confidence

Data Sources

IBM QRadar DNS log sources Microsoft DNS Server logs forwarded via WinCollect ISC BIND logs via syslog Infoblox DNS RPZ logs

Required Tables

events

False Positives

Internal DNS resolvers aggregated behind a single source IP will appear to generate high NXDOMAIN rates from one host even though the traffic originates from many endpoints
Software update services with aggressive retry logic querying CDN endpoints that have changed DNS records will generate NXDOMAIN bursts
Penetration testing or vulnerability scanning tools executing DNS brute-force enumeration of subdomains against target domains

Sumo Logic CSE

sql

// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy
// Source: DNS server logs or Windows Sysmon Event 22 forwarded to Sumo Logic
_sourceCategory=dns OR _sourceCategory=windows/sysmon
| where !(isNull(%"dns.response_code")) or !(isNull(QueryStatus))
// Normalize NXDOMAIN field across source types
| if (!isNull(QueryStatus), QueryStatus, %"dns.response_code") as response_code
| where response_code matches /(?i)(NXDOMAIN|no such name|name error|9003|9501)/
| if (!isNull(QueryName), QueryName, %"dns.question.name") as query_name
| toLowerCase(query_name) as query_name
// Extract SLD using regex: capture second-to-last label before TLD
| parse regex field=query_name "^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$"
| where !isNull(sld) && strlen(sld) >= 7
| toLong(strlen(sld)) as domain_length
// Vowel ratio calculation
| replaceAll(sld, "[^aeiou]", "") as vowels
| toLong(strlen(vowels)) as vowel_count
| toDouble(vowel_count) / toDouble(domain_length) as vowel_ratio
// Digit ratio calculation
| replaceAll(sld, "[^0-9]", "") as digits
| toLong(strlen(digits)) as digit_count
| toDouble(digit_count) / toDouble(domain_length) as digit_ratio
// DGA heuristic scoring
| if (vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0) as is_likely_dga
| if (!isNull(src_host), src_host, host) as reporting_host
| timeslice 1h
| stats
    count as total_nxdomain,
    dcount(query_name) as unique_nx_domains,
    sum(is_likely_dga) as likely_dga_count,
    values(query_name) as sample_domains
    by _timeslice, reporting_host
| where total_nxdomain >= 20 AND unique_nx_domains >= 15
| toDouble(unique_nx_domains) / 60.0 as query_rate
| if (likely_dga_count > 10 AND query_rate > 0.25, "Critical",
    if (likely_dga_count > 5 OR query_rate > 0.08, "High", "Medium")) as severity
| fields _timeslice, reporting_host, total_nxdomain, unique_nx_domains, likely_dga_count, query_rate, severity, sample_domains
| sort by likely_dga_count desc

high severity medium confidence

Data Sources

Windows Sysmon Event ID 22 (DNS Query) via Sumo Logic Windows collector ISC BIND or Microsoft DNS Server analytical logs Zeek DNS logs Palo Alto DNS Security logs

Required Tables

_sourceCategory=dns _sourceCategory=windows/sysmon

False Positives

DNS forwarders or recursive resolvers with many downstream clients will appear to originate high NXDOMAIN volumes from a single host IP
Automated integration tests or CI/CD pipelines running DNS-dependent service health checks against ephemeral or torn-down environments
Antivirus or EDR products performing DNS reputation checks for newly encountered file hashes by querying hash-based DNS indicator services

Google Chronicle / SecOps

yaral

rule t1568_002_dga_nxdomain_entropy_detection {
  meta:
    author          = "df00tech"
    description     = "Detects potential DGA C2 activity via abnormal NXDOMAIN rates and low-entropy domain names. Identifies hosts generating 20+ NXDOMAIN responses within 1 hour with 15+ unique failing domains, applying vowel ratio and domain length heuristics to classify algorithmically-generated domains."
    mitre_attack_id = "T1568.002"
    mitre_tactic    = "Command And Control"
    severity        = "HIGH"
    priority        = "HIGH"
    reference       = "https://attack.mitre.org/techniques/T1568/002/"
    version         = "1.0"
    created         = "2024-01-01"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    $dns.network.dns.response_code = "NXDOMAIN"
    // Require a registered domain label of at least 7 characters
    $dns.network.dns.questions.name != ""
    re.regex($dns.network.dns.questions.name, `[a-zA-Z0-9]{7,}`) nocase
    // Bind principal host for grouping
    $dns.principal.hostname = $hostname
    $dns.principal.ip = $src_ip

  match:
    // Group by source host over a 1-hour sliding window
    $hostname, $src_ip over 1h

  outcome:
    // Count total NXDOMAIN events in window
    $total_nxdomain = count($dns.network.dns.questions.name)
    // Count distinct failing domain names
    $unique_nx_domains = count_distinct($dns.network.dns.questions.name)
    // Flag domains with high digit density (proxy for DGA without full entropy math in YARA-L)
    // domains where >35% chars are digits: use regex to approximate
    $likely_dga_high_digits = count_distinct(
      if(
        re.regex($dns.network.dns.questions.name, `^(?:.*\.)?[a-z]*[0-9][a-z0-9]*[0-9][a-z0-9]*[0-9]`),
        $dns.network.dns.questions.name
      )
    )
    // Flag abnormally long SLD (> 16 chars before TLD)
    $likely_dga_long_label = count_distinct(
      if(
        re.regex($dns.network.dns.questions.name, `^(?:.*\.)?[a-zA-Z0-9]{17,}\.[a-zA-Z]{2,}$`),
        $dns.network.dns.questions.name
      )
    )
    // Approximate low-vowel domains: SLD with no vowel runs of > 4 consonants
    $likely_dga_low_vowel = count_distinct(
      if(
        re.regex($dns.network.dns.questions.name, `^(?:.*\.)?[a-z]*[^aeiou ]{5,}[a-z]*\.`),
        $dns.network.dns.questions.name
      )
    )
    $likely_dga_total = $likely_dga_high_digits + $likely_dga_long_label + $likely_dga_low_vowel
    $sample_domain = array_distinct($dns.network.dns.questions.name)[0]

  condition:
    $total_nxdomain >= 20 and $unique_nx_domains >= 15
}

high severity medium confidence

Data Sources

Google Chronicle UDM DNS events Windows DNS Server logs ingested via Chronicle forwarder Palo Alto Networks DNS Security via Chronicle ingestion Zeek DNS logs forwarded to Chronicle

Required Tables

network_dns UDM events

False Positives

Corporate DNS resolvers serving many endpoints will aggregate NXDOMAIN traffic from thousands of hosts behind a single principal.ip, triggering the threshold for benign aggregate traffic
Security tools performing passive DNS collection or threat intelligence enrichment via bulk DNS resolution of IoC lists will generate high NXDOMAIN counts from the tool host
Gaming clients, P2P software, or browser extensions with aggressive background DNS checks for CDN availability may produce NXDOMAIN bursts during CDN failover events

CrowdStrike LogScale (CQL)

cql

// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy (CrowdStrike LogScale CQL)
// Requires: Falcon sensor with DNS protection enabled; DnsRequest events
// Event type: DnsRequest — emitted on every DNS query from monitored endpoints

#event_simpleName=DnsRequest
// Filter to NXDOMAIN responses — CrowdStrike records RequestType; response failures
// are captured in DomainResolutionStatus or via absence of resolved IP
| RequestType = "1"  // A record queries most common for DGA beaconing
// Normalize domain to lowercase
| DomainName = lower(DomainName)
// Extract SLD: strip subdomains, keep second-to-last label
| regex("^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$", field=DomainName)
| test(length(sld) >= 7)
// Compute domain length
| domain_length := length(sld)
// Vowel ratio approximation: count vowel chars
| vowel_chars := replace(sld, /[^aeiou]/, "")
| vowel_count := length(vowel_chars)
| vowel_ratio := vowel_count / domain_length
// Digit ratio
| digit_chars := replace(sld, /[^0-9]/, "")
| digit_count := length(digit_chars)
| digit_ratio := digit_count / domain_length
// DGA heuristic flag
| is_likely_dga := if(vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0)
// NXDOMAIN indicator: no IPv4 response recorded
// DomainResolutionStatus == "1" indicates failure in some Falcon schema versions;
// absence of SocketIp also indicates resolution failure
| is_nxdomain := if(SocketIp = "" OR isnull(SocketIp), 1, 0)
| test(is_nxdomain = 1)
// Aggregate per host per 1-hour bucket
| bucket(field=[@timestamp], function="1h", as=time_bucket)
| groupBy([time_bucket, ComputerName, aip], function=[
    count(as=total_nxdomain),
    count(DomainName, distinct=true, as=unique_nx_domains),
    sum(is_likely_dga, as=likely_dga_count),
    collect(field=DomainName, limit=10, as=sample_domains)
  ]
)
| test(total_nxdomain >= 20 AND unique_nx_domains >= 15)
// Query rate per minute
| query_rate := round(unique_nx_domains / 60.0, 3)
// Severity classification
| severity := if(likely_dga_count > 10 AND query_rate > 0.25, "Critical",
               if(likely_dga_count > 5 OR query_rate > 0.08, "High", "Medium"))
| select([time_bucket, ComputerName, aip, total_nxdomain, unique_nx_domains, likely_dga_count, query_rate, severity, sample_domains])
| sort(likely_dga_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor DNS telemetry (DnsRequest events) Falcon Data Replicator (FDR) DNS events streamed to LogScale

Required Tables

DnsRequest Falcon event stream

False Positives

Hosts running recursive DNS resolver software (e.g., Unbound, dnsmasq) will relay NXDOMAIN responses from many clients through a single endpoint identity, artificially inflating per-host counts
Automated patching or software deployment systems querying package repository mirrors by hash or version strings that no longer resolve will generate bursts of NXDOMAIN responses
Browser sync services, Chromium-based browsers with aggressive DNS prefetch, or Electron apps with background service discovery may generate sustained NXDOMAIN activity against short-lived ephemeral service endpoints

Last updated: 2026-04-21 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Generation Algorithms

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections