Detect Domain Generation Algorithms in Elastic Security
Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1568 Dynamic Resolution
- Sub-technique
- T1568.002 Domain Generation Algorithms
- Canonical reference
- https://attack.mitre.org/techniques/T1568/002/
Elastic Detection Query
// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy (Elastic EQL)
// Requires: Elastic Agent with DNS event collection or Packetbeat with DNS plugin
// Uses sequence-less aggregation via ES|QL or threshold alert on this EQL base
sequence by host.name, source.ip with maxspan=1h
[dns where dns.response_code == "NXDOMAIN"
and length(dns.question.registered_domain) >= 7
] with runs=20Detects potential DGA activity by identifying hosts generating abnormally high NXDOMAIN failure rates within a 1-hour window. Complements with ES|QL for entropy analysis: FROM logs-* | WHERE dns.response_code == "NXDOMAIN" | EVAL sld = SPLIT(dns.question.name, ".") | EVAL domain_length = LENGTH(LAST(sld)) | WHERE domain_length >= 7 | STATS nxdomain_count = COUNT(), unique_domains = COUNT_DISTINCT(dns.question.name) BY host.name, source.ip, BUCKET(@timestamp, 1 hour) | WHERE nxdomain_count >= 20 AND unique_domains >= 15
Data Sources
Required Tables
False Positives & Tuning
- Misconfigured or buggy applications performing NXDOMAIN lookups for non-existent internal service endpoints at high rates during startup or retry storms
- Security scanning tools, DNS enumeration scripts, or pentest tooling (e.g., fierce, dnsrecon) run by IT operations against internal zones
- CDN or DNS-based load balancers generating high NXDOMAIN volumes during failover testing or misconfigured health checks
- Browser or OS pre-fetching behavior with aggressive DNS prefetch lists hitting expired or garbage-collected domains at scale
Other platforms for T1568.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)
Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.
- Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)
Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.
- Test 3Python DGA Simulation with Date-Seeded Algorithm
Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.
- Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)
Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.
References (12)
- https://attack.mitre.org/techniques/T1568/002/
- https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
- http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
- https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
- https://arxiv.org/pdf/1611.00791.pdf
- https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
- https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
- http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
- https://learn.microsoft.com/en-us/azure/sentinel/dns-domain-generation-algorithm
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1568.002/T1568.002.md
Unlock Pro Content
Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.