High NXDomain counts associated with a single IP may indicate the use of a Domain Generation Algorithm (DGA) by an adversary attempting to establish command and control channels, as this behavior is commonly used to evade traditional domain-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity and disrupt C2 communications before they can establish a persistent presence.
KQL Query
let referencestarttime = 10d;
let referenceendtime = 1d;
let threshold = 100;
let nxDomainDnsEvents = (stime:datetime, etime:datetime)
{_Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)
| where DnsQueryTypeName in ("A", "AAAA")
| where ipv4_is_match("127.0.0.1", SrcIpAddr) == False
| where DnsQuery !contains "/" and DnsQuery contains "."};
nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())
| extend sld = tostring(split(DnsQuery, ".")[-2])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr
| where dcount_sld > threshold
// Filter out previously seen IPs
| join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))
| extend sld = tostring(split(DnsQuery, ".")[-2])
| summarize dcount(sld) by SrcIpAddr
| where dcount_sld > threshold ) on SrcIpAddr
// Pull out sample NXDomain responses for those remaining potentially infected IPs
| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr
| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld
id: 983a6922-894d-413c-9f04-d7add0ecc307
name: Potential DGA detected (ASIM DNS Schema)
description: |
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with
NXDomain records in prior 10-day baseline period).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
severity: Medium
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
queryFrequency: 1d
queryPeriod: 10d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1568
- T1008
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml
version: 1.0.0
- Schema: ASIMDns
SchemaVersion: 0.1.1
query: |
let referencestarttime = 10d;
let referenceendtime = 1d;
let threshold = 100;
let nxDomainDnsEvents = (stime:datetime, etime:datetime)
{_Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)
| where DnsQueryTypeName in ("A", "AAAA")
| where ipv4_is_match("127.0.0.1", SrcIpAddr) == False
| where DnsQuery !contains "/" and DnsQuery contains "."};
nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())
| extend sld = tostring(split(DnsQuery, ".")[-2])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr
| where dcount_sld > threshold
// Filter out previously seen IPs
| join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))
| extend sld = tostring(split(DnsQuery, ".")[-2])
| summarize dcount(sld) by SrcIpAddr
| where dcount_sld > threshold ) on SrcIpAddr
// Pull out sample NXDomain responses for those remaining potentially infected IPs
| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr
| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.3.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yaron
| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorith
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thre
Scenario: A system is running a scheduled job that uses a dynamic domain generation algorithm for legitimate purposes, such as testing or development environments.
Filter/Exclusion: Exclude domains that match known internal testing domains or use a regex to filter out domains containing specific test keywords (e.g., test, dev, sandbox).
Scenario: A security tool like OSSEC or CrowdStrike is performing a domain reputation check using a DGA to validate against a known list of malicious domains.
Filter/Exclusion: Exclude domains that are part of a known security tool’s internal domain list or use a whitelist of domains used by security software.
Scenario: A system is running a PowerShell script or Python script that generates domains for internal load balancing or service discovery (e.g., using a script that cycles through internal domain names).
Filter/Exclusion: Exclude domains that match internal DNS zones (e.g., internal.corp, svc.corp) or use a filter based on the source IP of the DNS query (e.g., only allow queries from internal management IPs).
Scenario: A Windows Update or System Update process is generating temporary or placeholder domains during the update process.
Filter/Exclusion: Exclude domains that match known Windows update domain patterns (e.g., *.update.microsoft.com, *.windows.net) or use a filter based on the time window around system update events.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is using a DGA to dynamically generate domain names for temporary services or testing environments.
Filter/Exclusion: Exclude domains that match known CI/CD domain patterns (e.g., *.ci.example.com, *.dev.example.com) or use a filter based on the source IP of the DNS query (e.g.,