Detect Domain Generation Algorithms in CrowdStrike LogScale
Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1568 Dynamic Resolution
- Sub-technique
- T1568.002 Domain Generation Algorithms
- Canonical reference
- https://attack.mitre.org/techniques/T1568/002/
LogScale Detection Query
// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy (CrowdStrike LogScale CQL)
// Requires: Falcon sensor with DNS protection enabled; DnsRequest events
// Event type: DnsRequest — emitted on every DNS query from monitored endpoints
#event_simpleName=DnsRequest
// Filter to NXDOMAIN responses — CrowdStrike records RequestType; response failures
// are captured in DomainResolutionStatus or via absence of resolved IP
| RequestType = "1" // A record queries most common for DGA beaconing
// Normalize domain to lowercase
| DomainName = lower(DomainName)
// Extract SLD: strip subdomains, keep second-to-last label
| regex("^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$", field=DomainName)
| test(length(sld) >= 7)
// Compute domain length
| domain_length := length(sld)
// Vowel ratio approximation: count vowel chars
| vowel_chars := replace(sld, /[^aeiou]/, "")
| vowel_count := length(vowel_chars)
| vowel_ratio := vowel_count / domain_length
// Digit ratio
| digit_chars := replace(sld, /[^0-9]/, "")
| digit_count := length(digit_chars)
| digit_ratio := digit_count / domain_length
// DGA heuristic flag
| is_likely_dga := if(vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0)
// NXDOMAIN indicator: no IPv4 response recorded
// DomainResolutionStatus == "1" indicates failure in some Falcon schema versions;
// absence of SocketIp also indicates resolution failure
| is_nxdomain := if(SocketIp = "" OR isnull(SocketIp), 1, 0)
| test(is_nxdomain = 1)
// Aggregate per host per 1-hour bucket
| bucket(field=[@timestamp], function="1h", as=time_bucket)
| groupBy([time_bucket, ComputerName, aip], function=[
count(as=total_nxdomain),
count(DomainName, distinct=true, as=unique_nx_domains),
sum(is_likely_dga, as=likely_dga_count),
collect(field=DomainName, limit=10, as=sample_domains)
]
)
| test(total_nxdomain >= 20 AND unique_nx_domains >= 15)
// Query rate per minute
| query_rate := round(unique_nx_domains / 60.0, 3)
// Severity classification
| severity := if(likely_dga_count > 10 AND query_rate > 0.25, "Critical",
if(likely_dga_count > 5 OR query_rate > 0.08, "High", "Medium"))
| select([time_bucket, ComputerName, aip, total_nxdomain, unique_nx_domains, likely_dga_count, query_rate, severity, sample_domains])
| sort(likely_dga_count, order=desc)Detects DGA-based C2 beaconing using CrowdStrike Falcon DnsRequest telemetry. Filters to DNS A-record queries with no resolved IP (NXDOMAIN proxy), extracts the second-level domain label, and applies vowel ratio, digit ratio, and length heuristics to classify algorithmically-generated strings. Aggregates per host over 1-hour windows and alerts when NXDOMAIN volume and unique domain count thresholds are exceeded, with severity scoring based on DGA-classified domain count and query rate.
Data Sources
Required Tables
False Positives & Tuning
- Hosts running recursive DNS resolver software (e.g., Unbound, dnsmasq) will relay NXDOMAIN responses from many clients through a single endpoint identity, artificially inflating per-host counts
- Automated patching or software deployment systems querying package repository mirrors by hash or version strings that no longer resolve will generate bursts of NXDOMAIN responses
- Browser sync services, Chromium-based browsers with aggressive DNS prefetch, or Electron apps with background service discovery may generate sustained NXDOMAIN activity against short-lived ephemeral service endpoints
Other platforms for T1568.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)
Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.
- Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)
Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.
- Test 3Python DGA Simulation with Date-Seeded Algorithm
Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.
- Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)
Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.
References (12)
- https://attack.mitre.org/techniques/T1568/002/
- https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
- http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
- https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
- https://arxiv.org/pdf/1611.00791.pdf
- https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
- https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
- http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
- https://learn.microsoft.com/en-us/azure/sentinel/dns-domain-generation-algorithm
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1568.002/T1568.002.md
Unlock Pro Content
Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.