title: Domain Generation Algorithms (T1568.002)
id: df00tech-t1568-002
status: experimental
description: "Adversaries use Domain Generation Algorithms (DGAs) to dynamically identify C2 destinations by algorithmically generating large numbers of candidate domain names. Only the operator-registered domain resolves successfully; all others return NXDOMAIN. This makes blocking impractical — defenders cannot predict the full space of generated domains. DGAs may produce random character strings (e.g., istgmxdejdnxuyla.ru) or concatenate dictionary words (e.g., cityjulydish.net). Many implementations are time-seeded, generating different candidate domains hourly or daily. Some incorporate a shared secret seed to prevent defender prediction. Detection focuses on statistical anomalies: abnormally high NXDOMAIN failure rates from a single host, domain names with low vowel ratios or high character entropy, rapid successive queries to many unique failing domains, and beaconing patterns once a DGA domain resolves. Malware families using DGA include QakBot, Conficker, Ursnif, DarkWatchman, BONDUPDATER, POSHSPY, CHOPSTICK, Aria-body, Milan, SombRAT, and MiniDuke. APT41 changes C2 monthly via DGA; TA551 generates URLs from executed macros."
references:
  - https://attack.mitre.org/techniques/T1568/002/
  - https://df00tech.com/detections/T1568.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1568.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Cloud infrastructure with GUID-based hostnames (Azure, AWS, GCP auto-generated resource names) performing DNS lookups that fail when services are deprovisioned or accessed cross-region"
  - "Security scanning and threat intelligence tools (Nessus, Qualys, Shodan crawlers, passive DNS enrichment pipelines) performing bulk DNS enumeration generating high NXDOMAIN rates"
  - "Content delivery networks using algorithmically-generated short-TTL subdomains with low vowel ratios — some Akamai, Cloudflare, and Fastly edge-node hostnames match entropy thresholds"
  - "Software development and CI/CD pipelines running integration tests that generate randomized ephemeral test domain names, or microservices discovery in misconfigured service meshes"
  - "Misconfigured DNS resolvers, split-horizon DNS setups, or VPN clients resolving internal domains against a public resolver — causing legitimate internal hostnames to return NXDOMAIN"
level: high