Skip to content

DET0419 Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.

Item Value
ID DET0419
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1568.002 (Domain Generation Algorithms)

Analytics

Windows

AN1178

Correlate DNS queries that generate domains with high entropy or gibberish patterns, combined with short-lived connections from unusual processes. Monitor Sysmon DNS events and Windows Security logs for abnormal query rates and failed lookups.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
EntropyThreshold Set threshold for randomness in queried domain strings (e.g., >4.0)
QueryFailureRate Failed resolution ratio above normal baseline (e.g., >30%)
TimeWindow Duration for aggregating suspicious DNS queries (e.g., 5–10 min)

Linux

AN1179

Identify processes issuing repeated DNS queries to random-looking domains with abnormal entropy or word concatenations. Correlate resolver logs with high NXDOMAIN rates and auditd socket connections.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) auditd:SYSCALL socket/connect
Network Traffic Content (DC0085) linux:syslog Multiple NXDOMAIN responses and high entropy domains
Mutable Elements
Field Description
NXDOMAINThreshold Ratio of failed queries triggering alert (e.g., >40%)
DomainAge Flag queries to domains registered in last 7–30 days

macOS

AN1180

Monitor unified DNS logs for abnormal domain queries with low lexical similarity to known domains, repeated failed lookups, and random string structures. Cross-check with process logs to confirm unusual origins (non-browser apps).

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog High entropy domain queries with multiple NXDOMAINs
Process Creation (DC0032) macos:unifiedlog Unexpected apps performing repeated DNS lookups
Mutable Elements
Field Description
ReputationFeedWhitelist Exclude trusted CDN and cloud provider domains
LexicalScoreThreshold Adjust score for word-based vs. letter-based DGAs

ESXi

AN1181

Use ESXi syslogs to track abnormal DNS query patterns from management agents or VMs. Identify high-frequency, low-TTL, or unresolvable domains as suspicious. Correlate with unusual management plane process activity.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:syslog Frequent DNS queries with high entropy names or NXDOMAIN results
Mutable Elements
Field Description
ResolverConfigPaths Expected resolver settings for ESXi hosts
DomainWhitelist Trusted external domains for hypervisor operations