T1568.002 Sumo Logic CSE · Sumo

Detect Domain Generation Algorithms in Sumo Logic CSE

Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.002 Domain Generation Algorithms
Canonical reference
https://attack.mitre.org/techniques/T1568/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// T1568.002 — DGA Detection via NXDOMAIN Rate and Domain Entropy
// Source: DNS server logs or Windows Sysmon Event 22 forwarded to Sumo Logic
_sourceCategory=dns OR _sourceCategory=windows/sysmon
| where !(isNull(%"dns.response_code")) or !(isNull(QueryStatus))
// Normalize NXDOMAIN field across source types
| if (!isNull(QueryStatus), QueryStatus, %"dns.response_code") as response_code
| where response_code matches /(?i)(NXDOMAIN|no such name|name error|9003|9501)/
| if (!isNull(QueryName), QueryName, %"dns.question.name") as query_name
| toLowerCase(query_name) as query_name
// Extract SLD using regex: capture second-to-last label before TLD
| parse regex field=query_name "^(?:.*\.)?(?P<sld>[^.]+)\.[^.]+$"
| where !isNull(sld) && strlen(sld) >= 7
| toLong(strlen(sld)) as domain_length
// Vowel ratio calculation
| replaceAll(sld, "[^aeiou]", "") as vowels
| toLong(strlen(vowels)) as vowel_count
| toDouble(vowel_count) / toDouble(domain_length) as vowel_ratio
// Digit ratio calculation
| replaceAll(sld, "[^0-9]", "") as digits
| toLong(strlen(digits)) as digit_count
| toDouble(digit_count) / toDouble(domain_length) as digit_ratio
// DGA heuristic scoring
| if (vowel_ratio < 0.20 OR digit_ratio > 0.35 OR domain_length > 16, 1, 0) as is_likely_dga
| if (!isNull(src_host), src_host, host) as reporting_host
| timeslice 1h
| stats
    count as total_nxdomain,
    dcount(query_name) as unique_nx_domains,
    sum(is_likely_dga) as likely_dga_count,
    values(query_name) as sample_domains
    by _timeslice, reporting_host
| where total_nxdomain >= 20 AND unique_nx_domains >= 15
| toDouble(unique_nx_domains) / 60.0 as query_rate
| if (likely_dga_count > 10 AND query_rate > 0.25, "Critical",
    if (likely_dga_count > 5 OR query_rate > 0.08, "High", "Medium")) as severity
| fields _timeslice, reporting_host, total_nxdomain, unique_nx_domains, likely_dga_count, query_rate, severity, sample_domains
| sort by likely_dga_count desc
high severity medium confidence

Detects DGA-based C2 activity by analyzing DNS NXDOMAIN responses per host over 1-hour windows. Extracts second-level domain labels and applies statistical heuristics (vowel ratio < 20%, digit ratio > 35%, length > 16 chars) to classify likely algorithmically-generated domains. Alerts when a host exceeds volume thresholds and reports severity based on DGA-classified domain count and query rate.

Data Sources

Windows Sysmon Event ID 22 (DNS Query) via Sumo Logic Windows collectorISC BIND or Microsoft DNS Server analytical logsZeek DNS logsPalo Alto DNS Security logs

Required Tables

_sourceCategory=dns_sourceCategory=windows/sysmon

False Positives & Tuning

  • DNS forwarders or recursive resolvers with many downstream clients will appear to originate high NXDOMAIN volumes from a single host IP
  • Automated integration tests or CI/CD pipelines running DNS-dependent service health checks against ephemeral or torn-down environments
  • Antivirus or EDR products performing DNS reputation checks for newly encountered file hashes by querying hash-based DNS indicator services
Download portable Sigma rule (.yml)

Other platforms for T1568.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Time-Seeded DGA Simulation (Conficker-Style)

    Expected signal: Sysmon Event ID 22 (DNS Query): 30 entries with Image=powershell.exe, QueryName values containing random-character strings (10-16 chars, low vowel ratio). QueryStatus will show 'No Such Name' or equivalent NXDOMAIN code for all 30. DnsEvents: ResultCode=3 for all generated domains. The Sysmon process chain shows powershell.exe as the Image with no suspicious parent.

  2. Test 2Bash DGA Simulation — Random Character String Domains (Linux/macOS)

    Expected signal: Linux auditd SYSCALL records for nslookup execution with random domain arguments (if auditd configured for execve syscalls). Syslog entries from nslookup showing NXDOMAIN responses. Network capture shows UDP port 53 queries to the configured resolver for random-string .com domains. EDR process telemetry: nslookup spawned 30 times from bash with unique arguments per invocation.

  3. Test 3Python DGA Simulation with Date-Seeded Algorithm

    Expected signal: Sysmon Event ID 1: python3.exe process creation with command line containing the DGA script inline. Sysmon Event ID 22: 30 DNS query events with Image=python3.exe (or python.exe), QueryName values showing random lowercase strings ending in .net. Windows Security Event 4688 (if command line auditing enabled) shows the full python3.exe invocation.

  4. Test 4Rapid nslookup Batch — High-Entropy Domain Names (Windows CMD)

    Expected signal: Sysmon Event ID 22: 17 DNS query events with Image=nslookup.exe (or cmd.exe as parent), each QueryName showing a consonant-heavy random string ending in .com. All return NXDOMAIN. Windows Security Event 4688 shows cmd.exe execution followed by multiple nslookup.exe child processes. The batch executes in approximately 2-5 seconds, creating a high-velocity NXDOMAIN burst.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1568.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.003DNS Calculation

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1071.004DNST1008Fallback ChannelsT1095Non-Application Layer ProtocolT1132.001Standard EncodingT1027Obfuscated Files or InformationT1573.001Symmetric CryptographyT1105Ingress Tool Transfer

Same Tactic: Command and Control

Popular Detections