Detect Domain Generation Algorithms in Microsoft Sentinel
Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1568 Dynamic Resolution
- Sub-technique
- T1568.002 Domain Generation Algorithms
- Canonical reference
- https://attack.mitre.org/techniques/T1568/002/
KQL Detection Query
// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy Analysis
// Requires: Azure DNS Analytics solution (DnsEvents table) or DNS server logs ingested via AMA/CEF
// Tune NXDomainThreshold and UniqueDomainsThreshold against your environment's DNS failure baseline
let TimeWindow = 1h;
let NXDomainThreshold = 20;
let UniqueDomainsThreshold = 15;
DnsEvents
| where TimeGenerated > ago(TimeWindow)
| where ResultCode == 3 // NXDOMAIN — query returned 'no such domain'
| extend Name = tolower(Name)
| extend DomainParts = split(Name, '.')
| extend SLD = tostring(DomainParts[array_length(DomainParts) - 2])
| where strlen(SLD) >= 7
| extend DomainLength = strlen(SLD)
// Vowel ratio: legitimate human-readable domains average 35-45% vowels
// DGA random-character strings typically have <20% vowels
| extend VowelCount = countof(SLD, 'a') + countof(SLD, 'e') + countof(SLD, 'i') + countof(SLD, 'o') + countof(SLD, 'u')
| extend VowelRatio = todouble(VowelCount) / todouble(DomainLength)
// Digit ratio: many DGAs embed digits; legitimate SLDs rarely exceed 30% digits
| extend DigitCount = countof(SLD, '0') + countof(SLD, '1') + countof(SLD, '2') + countof(SLD, '3') + countof(SLD, '4') + countof(SLD, '5') + countof(SLD, '6') + countof(SLD, '7') + countof(SLD, '8') + countof(SLD, '9')
| extend DigitRatio = todouble(DigitCount) / todouble(DomainLength)
| extend IsLikelyDGA = iff(
VowelRatio < 0.20 // Very few vowels — algorithmically-generated random string
or DigitRatio > 0.35 // High digit density — e.g., Conficker, QakBot variants
or DomainLength > 16, // Abnormally long SLD uncommon in legitimate domains
1, 0)
| summarize
TotalNXDomain = count(),
UniqueNXDomains = dcount(Name),
LikelyDGACount = countif(IsLikelyDGA == 1),
SampleDomains = make_set(Name, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Computer, ClientIP
| where TotalNXDomain >= NXDomainThreshold and UniqueNXDomains >= UniqueDomainsThreshold
| extend DurationMinutes = iff(
datetime_diff('minute', LastSeen, FirstSeen) < 1,
todouble(1),
todouble(datetime_diff('minute', LastSeen, FirstSeen)))
| extend QueryRate = round(todouble(UniqueNXDomains) / DurationMinutes, 2)
| extend AlertSeverity = case(
LikelyDGACount > 10 and QueryRate > 5.0, 'Critical',
LikelyDGACount > 5 or QueryRate > 2.0, 'High',
'Medium')
| project
Computer, ClientIP,
TotalNXDomain, UniqueNXDomains, LikelyDGACount,
QueryRate, DurationMinutes,
AlertSeverity, SampleDomains,
FirstSeen, LastSeen
| sort by LikelyDGACount desc, TotalNXDomain descDetects DGA activity using the DnsEvents table (Azure DNS Analytics solution). Groups NXDOMAIN responses (ResultCode == 3) by source host over a rolling 1-hour window and applies statistical heuristics: vowel ratio below 0.20 flags random-character DGAs; digit ratio above 0.35 flags digit-heavy variants (Conficker, QakBot); SLD length above 16 flags long-form random-string DGAs. Hosts exceeding 20 NXDOMAIN responses with 15+ unique failing domains trigger the alert. The QueryRate field (unique failing domains per minute) distinguishes automated rapid-fire DGA sweeps from slow jitter-based beaconing. AlertSeverity is dynamically computed based on entropy signal strength and query velocity.
Data Sources
Required Tables
False Positives & Tuning
- Cloud infrastructure with GUID-based hostnames (Azure, AWS, GCP auto-generated resource names) performing DNS lookups that fail when services are deprovisioned or accessed cross-region
- Security scanning and threat intelligence tools (Nessus, Qualys, Shodan crawlers, passive DNS enrichment pipelines) performing bulk DNS enumeration generating high NXDOMAIN rates
- Content delivery networks using algorithmically-generated short-TTL subdomains with low vowel ratios — some Akamai, Cloudflare, and Fastly edge-node hostnames match entropy thresholds
- Software development and CI/CD pipelines running integration tests that generate randomized ephemeral test domain names, or microservices discovery in misconfigured service meshes
- Misconfigured DNS resolvers, split-horizon DNS setups, or VPN clients resolving internal domains against a public resolver — causing legitimate internal hostnames to return NXDOMAIN
Other platforms for T1568.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)
Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.
- Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)
Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.
- Test 3Python DGA Simulation with Date-Seeded Algorithm
Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.
- Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)
Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.
References (12)
- https://attack.mitre.org/techniques/T1568/002/
- https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
- http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
- https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
- https://arxiv.org/pdf/1611.00791.pdf
- https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
- https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
- http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
- https://learn.microsoft.com/en-us/azure/sentinel/dns-domain-generation-algorithm
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1568.002/T1568.002.md
Unlock Pro Content
Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.