DNS C2 Beaconing — Low-TTL Periodic Domain Lookups
02 DNS C2 Beaconing Periodic
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(4h)
| where EventResult =~ "Success"
| where DnsQueryTypeName in~ ("A", "AAAA", "TXT", "MX", "CNAME", "NULL")
| summarize
QueryCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
SrcHostname = any(SrcHostname)
by SrcIpAddr, DnsQuery
| where QueryCount >= 20
| extend
SpanMinutes = datetime_diff('minute', LastSeen, FirstSeen),
QueriesPerMin = round(todouble(QueryCount) / max_of(1, datetime_diff('minute', LastSeen, FirstSeen)), 2)
| where SpanMinutes > 5
| where QueriesPerMin >= 1Explanation
This query is designed to detect suspicious DNS activity that may indicate command-and-control (C2) beaconing, a technique often used by malware to communicate with an external server. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies clients (computers or devices) that repeatedly query the same external domain at regular intervals, which is a common behavior of automated C2 communication.
-
Detection Criteria:
- The query looks at DNS activity logs from the past 4 hours.
- It focuses on successful DNS queries of specific types (A, AAAA, TXT, MX, CNAME, NULL).
- It flags any client that queries the same Fully Qualified Domain Name (FQDN) 20 or more times within this period.
- It calculates the time span between the first and last query and the average number of queries per minute.
- It only considers cases where the querying happens over more than 5 minutes and at a rate of at least 1 query per minute.
-
Alerting:
- If the criteria are met, an alert is generated with details about the client, the domain queried, the number of queries, and the query rate.
- The alert is labeled as high severity due to its potential indication of malicious activity.
-
Use Cases:
- This query is particularly relevant for detecting C2 frameworks like Cobalt Strike, Silver, and Havoc, which use DNS for communication.
- It helps security teams identify potential threats and take action to investigate or mitigate them.
-
Output:
- The alert includes information about the host (client), its IP address, the domain being queried, and the frequency of queries.
Overall, this query helps in identifying automated and potentially malicious DNS activity that could signify a compromised system communicating with a threat actor's server.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 4h
Period: 4h