Query Details

DNS C2 Beaconing — Low-TTL Periodic Domain Lookups

02 DNS C2 Beaconing Periodic

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(4h)
| where EventResult =~ "Success"
| where DnsQueryTypeName in~ ("A", "AAAA", "TXT", "MX", "CNAME", "NULL")
| summarize
    QueryCount  = count(),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated),
    SrcHostname = any(SrcHostname)
  by SrcIpAddr, DnsQuery
| where QueryCount >= 20
| extend
    SpanMinutes   = datetime_diff('minute', LastSeen, FirstSeen),
    QueriesPerMin = round(todouble(QueryCount) / max_of(1, datetime_diff('minute', LastSeen, FirstSeen)), 2)
| where SpanMinutes > 5
| where QueriesPerMin >= 1

Explanation

This query is designed to detect suspicious DNS activity that may indicate command-and-control (C2) beaconing, a technique often used by malware to communicate with an external server. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies clients (computers or devices) that repeatedly query the same external domain at regular intervals, which is a common behavior of automated C2 communication.

  2. Detection Criteria:

    • The query looks at DNS activity logs from the past 4 hours.
    • It focuses on successful DNS queries of specific types (A, AAAA, TXT, MX, CNAME, NULL).
    • It flags any client that queries the same Fully Qualified Domain Name (FQDN) 20 or more times within this period.
    • It calculates the time span between the first and last query and the average number of queries per minute.
    • It only considers cases where the querying happens over more than 5 minutes and at a rate of at least 1 query per minute.
  3. Alerting:

    • If the criteria are met, an alert is generated with details about the client, the domain queried, the number of queries, and the query rate.
    • The alert is labeled as high severity due to its potential indication of malicious activity.
  4. Use Cases:

    • This query is particularly relevant for detecting C2 frameworks like Cobalt Strike, Silver, and Havoc, which use DNS for communication.
    • It helps security teams identify potential threats and take action to investigate or mitigate them.
  5. Output:

    • The alert includes information about the host (client), its IP address, the domain being queried, and the frequency of queries.

Overall, this query helps in identifying automated and potentially malicious DNS activity that could signify a compromised system communicating with a threat actor's server.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DNSC2BeaconingCobaltStrikeSilverHavocHostIPDomainName

Operators

ASimDnsActivityLogswhereago=~in~summarizecountminmaxanybyextenddatetime_diffroundtodoublemax_of

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub