T1568.002 IBM QRadar · QRadar

Detect Domain Generation Algorithms in IBM QRadar

Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.002 Domain Generation Algorithms
Canonical reference
https://attack.mitre.org/techniques/T1568/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  "hostname",
  COUNT(*) AS total_nxdomain,
  COUNT(DISTINCT "dns_query_name") AS unique_nx_domains,
  SUM(CASE WHEN
    /* Vowel ratio < 20% heuristic via low vowel character presence */
    (CHAR_LENGTH(REGEXP_REPLACE(LOWER("sld_label"), '[^aeiou]', '')) * 1.0 /
     NULLIF(CHAR_LENGTH("sld_label"), 0)) < 0.20
    OR
    /* Digit ratio > 35% */
    (CHAR_LENGTH(REGEXP_REPLACE("sld_label", '[^0-9]', '')) * 1.0 /
     NULLIF(CHAR_LENGTH("sld_label"), 0)) > 0.35
    OR
    /* Abnormally long SLD */
    CHAR_LENGTH("sld_label") > 16
  THEN 1 ELSE 0 END) AS likely_dga_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM (
  SELECT
    sourceip,
    "hostname",
    starttime,
    "dns_query_name",
    LOWER(
      REGEXP_REPLACE(
        REGEXP_REPLACE("dns_query_name", '^(.+\.)?([^.]+)\.[^.]+$', '\\2'),
        ' ', ''
      )
    ) AS "sld_label"
  FROM events
  WHERE
    LOGSOURCETYPEID IN (SELECT id FROM logsourcetypes WHERE name ILIKE '%DNS%')
    AND QIDNAME(qid) ILIKE '%NXDOMAIN%'
    AND starttime > NOW() - 3600000
    AND "dns_query_name" IS NOT NULL
    AND CHAR_LENGTH("dns_query_name") > 0
) subq
WHERE CHAR_LENGTH("sld_label") >= 7
GROUP BY sourceip, "hostname"
HAVING total_nxdomain >= 20
  AND unique_nx_domains >= 15
ORDER BY likely_dga_count DESC, total_nxdomain DESC
high severity medium confidence

Detects hosts generating suspicious volumes of NXDOMAIN DNS failures indicative of DGA C2 activity. Queries DNS log sources in QRadar for NXDOMAIN events, extracts the second-level domain (SLD), applies vowel ratio, digit ratio, and length heuristics to flag likely algorithmically-generated domains, and alerts when a host exceeds both the total failure count and unique domain thresholds within a rolling 1-hour window.

Data Sources

IBM QRadar DNS log sourcesMicrosoft DNS Server logs forwarded via WinCollectISC BIND logs via syslogInfoblox DNS RPZ logs

Required Tables

events

False Positives & Tuning

  • Internal DNS resolvers aggregated behind a single source IP will appear to generate high NXDOMAIN rates from one host even though the traffic originates from many endpoints
  • Software update services with aggressive retry logic querying CDN endpoints that have changed DNS records will generate NXDOMAIN bursts
  • Penetration testing or vulnerability scanning tools executing DNS brute-force enumeration of subdomains against target domains
Download portable Sigma rule (.yml)

Other platforms for T1568.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)

    Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.

  2. Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)

    Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.

  3. Test 3Python DGA Simulation with Date-Seeded Algorithm

    Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.

  4. Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)

    Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.003DNS Calculation

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1071.004DNST1008Fallback ChannelsT1095Non-Application Layer ProtocolT1132.001Standard EncodingT1027Obfuscated Files or InformationT1573.001Symmetric CryptographyT1105Ingress Tool Transfer

Same Tactic: Command and Control

Popular Detections