T1568.002 Splunk · SPL

Detect Domain Generation Algorithms in Splunk

Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.002 Domain Generation Algorithms
Canonical reference
https://attack.mitre.org/techniques/T1568/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| rex field=QueryName "^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$"
| where isnotnull(sld) AND len(sld) >= 7
| eval sld=lower(sld)
| eval domain_length=len(sld)
| eval vowels=replace(sld, "[^aeiou]", "")
| eval vowel_count=len(vowels)
| eval vowel_ratio=vowel_count/domain_length
| eval digits=replace(sld, "[^0-9]", "")
| eval digit_count=len(digits)
| eval digit_ratio=digit_count/domain_length
| eval is_likely_dga=if(vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0)
| eval is_nxdomain=if(match(QueryStatus, "(?i)(no such name|nxdomain|name error|9003|9501)"), 1, 0)
| bin _time span=1h
| stats
    count as total_queries,
    sum(is_nxdomain) as nxdomain_count,
    dc(QueryName) as unique_domains,
    sum(is_likely_dga) as likely_dga_count,
    values(eval(if(is_likely_dga=1, QueryName, null()))) as dga_sample_domains
    by _time, host, User
| where total_queries >= 20 AND unique_domains >= 15
| eval query_rate=round(unique_domains / 60.0, 3)
| eval severity=case(
    likely_dga_count > 10 AND query_rate > 0.25, "Critical",
    likely_dga_count > 5 OR query_rate > 0.08, "High",
    true(), "Medium")
| table _time, host, User, total_queries, nxdomain_count, unique_domains, likely_dga_count, query_rate, severity, dga_sample_domains
| sort - likely_dga_count
high severity medium confidence

Detects DGA activity using Sysmon Event ID 22 (DNS Query) from Windows endpoints. Extracts the second-level domain from each QueryName field using a regex and applies vowel ratio, digit ratio, and length heuristics to score each domain. Queries are grouped by host and user into 1-hour buckets. Hosts with 20+ total DNS queries and 15+ unique domains in the window trigger the alert. The is_nxdomain field captures QueryStatus values matching known NXDOMAIN patterns (including Windows error codes 9003 and 9501). The query_rate field (unique domains per minute, normalized to the 60-minute bin) distinguishes frantic DGA sweeps from slow periodic attempts.

Data Sources

Network Traffic: DNS ResolutionSysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Cloud infrastructure agents (Azure Monitor, AWS SSM, GCP Ops Agent) performing frequent health-check DNS lookups to GUID-based endpoints that cycle in/out of DNS
  • Security tools performing bulk DNS resolution for threat intelligence enrichment or asset discovery — Nessus, Qualys, Carbon Black, CrowdStrike sensor DNS lookups
  • CDN and SaaS products with algorithmically-generated subdomain names (low vowel ratio) used for geographic load distribution — Office 365, SharePoint, and Akamai edge nodes
  • Development machines running automated test suites that generate random domain names for DNS mocking or service discovery testing
  • Endpoint browsers making speculative DNS pre-fetches for URLs in the browser history or predictive omnibar — can generate high unique-domain counts on active workstations
Download portable Sigma rule (.yml)

Other platforms for T1568.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)

    Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.

  2. Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)

    Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.

  3. Test 3Python DGA Simulation with Date-Seeded Algorithm

    Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.

  4. Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)

    Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.003DNS Calculation

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1071.004DNST1008Fallback ChannelsT1095Non-Application Layer ProtocolT1132.001Standard EncodingT1027Obfuscated Files or InformationT1573.001Symmetric CryptographyT1105Ingress Tool Transfer

Same Tactic: Command and Control

Popular Detections