Communication using dga

Hunt Hypothesis

Adversaries may use domain generation algorithms to establish covert communication channels, which can evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities early.

YARA Rule

rule network_dga {
    meta:
        author = "x0r"
        description = "Communication using dga"
	version = "0.1"
    strings:
        $dll1 = "Advapi32.dll" nocase
        $dll2 = "wininet.dll" nocase
	    $dll3 = "Crypt32.dll" nocase
        $time1 = "SystemTimeToFileTime"
        $time2 = "GetSystemTime"
        $time3 = "GetSystemTimeAsFileTime"
        $hash1 = "CryptCreateHash"
        $hash2 = "CryptAcquireContext"
        $hash3 = "CryptHashData"
        $net1 = "InternetOpen"
        $net2 = "InternetOpenUrl"
        $net3 = "gethostbyname"
        $net4 = "getaddrinfo"
    condition:
        all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 13 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate Domain Generation Algorithm (DGA) Usage by Security Tools
  Description: Security tools like CrowdStrike Falcon or Microsoft Defender ATP may use DGAs for secure communication with cloud-based services.
  Filter/Exclusion: Exclude traffic to known security tool domains (e.g., *.falcon-sensor.com, *.microsoft.com) or use a whitelist of trusted DGA domains used by enterprise security software.

• Scenario: Scheduled System Maintenance Tasks
  Description: Scheduled tasks like Windows Task Scheduler or PowerShell scheduled jobs may generate temporary domains for internal communication (e.g., with a private DNS server).
  Filter/Exclusion: Exclude traffic originating from known system accounts (e.g., SYSTEM, NT AUTHORITY\LocalService) or filter by source IP addresses associated with internal maintenance servers.

• Scenario: Internal DNS Server Communication
  Description: Internal DNS servers may use DGAs for internal name resolution or dynamic DNS updates, especially in environments with custom DNS configurations.
  Filter/Exclusion: Exclude traffic to internal DNS servers (e.g., 10.0.0.1, 192.168.0.10) or filter by domain names within the enterprise’s internal domain namespace (e.g., *.internal.corp).

• Scenario: Cloud Infrastructure Management Tools
  Description: Tools like Terraform, Ansible, or AWS CloudFormation may use DGAs for temporary communication with cloud services during infrastructure provisioning.
  Filter/Exclusion: Exclude traffic to known cloud provider domains (e.g., *.aws.com, *.azure.com, *.googleapis.com) or filter by user-agent strings or request headers that identify infrastructure management tools.

• Scenario: Email Server Dynamic DNS Updates
  Description: Email