KQL Search

Query Details

04 DNS DGA High Entropy

Query

id: a1b2c3d4-0004-4a5b-8c9d-dns004dga
name: DGA — High-Entropy Subdomain Pattern (Domain Generation Algorithm)
description: |
  Detects clients communicating with Domain Generation Algorithm (DGA) generated
  domains. DGA malware (Emotet, QakBot, Dridex, TrickBot, SolarWinds Sunburst)
  generates pseudo-random domain names at regular intervals, trying many until
  one resolves to an active C2 server.
  Detection is based on the second-level domain character analysis:
  - High ratio of consonants (>65%) — real words are ~40-55% consonant
  - Contains embedded digits — rare in real brand names
  - Length between 10–40 characters — DGA sweet spot
  - High unique character count — randomness indicator
  Differentiation from built-in "Potential DGA via Repetitive Failures
  (Normalized DNS)":
  The built-in detects DGA via NXDOMAIN failure rate only — if the C2 domain
  has already been registered and resolves, the built-in misses it. This rule
  applies consonant-ratio entropy analysis to SUCCESSFUL queries (NOERROR), 
  catching active C2 beaconing where the DGA domain resolved. Enables detection
  of DGA malware in its post-initial-C2-registration phase.
severity: High
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CommandAndControl
relevantTechniques:
  - T1568.002
tags:
  - DGA
  - Emotet
  - QakBot
  - Dridex
  - TrickBot
  - Domain Generation Algorithm
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(1h)
  | extend SLD = tostring(split(DnsQuery, ".")[-2])
  | where strlen(SLD) between (10 .. 40)
  | extend
      SLDLen         = strlen(SLD),
      HasDigits      = SLD matches regex @"\d",
      ConsonantCount = countof(SLD, "b") + countof(SLD, "c") + countof(SLD, "d")
                     + countof(SLD, "f") + countof(SLD, "g") + countof(SLD, "h")
                     + countof(SLD, "j") + countof(SLD, "k") + countof(SLD, "l")
                     + countof(SLD, "m") + countof(SLD, "n") + countof(SLD, "p")
                     + countof(SLD, "q") + countof(SLD, "r") + countof(SLD, "s")
                     + countof(SLD, "t") + countof(SLD, "v") + countof(SLD, "w")
                     + countof(SLD, "x") + countof(SLD, "y") + countof(SLD, "z")
  | extend ConsonantRatio = todouble(ConsonantCount) / todouble(SLDLen)
  | where ConsonantRatio > 0.65
       and HasDigits == true
  | summarize
      DgaLikeDomains = dcount(DnsQuery),
      QueryCount     = count(),
      SampleDomains  = make_set(DnsQuery, 15),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by SrcIpAddr, SrcHostname
  | where DgaLikeDomains > 10
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
alertDetailsOverride:
  alertDisplayNameFormat: "DGA Activity — {{SrcHostname}} queried {{DgaLikeDomains}} high-entropy domains"
  alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) queried {{DgaLikeDomains}} high-entropy domains consistent with DGA malware activity. Sample: {{SampleDomains}}"
customDetails:
  DgaLikeDomains: DgaLikeDomains
  SampleDomains: SampleDomains

Explanation

This query is designed to detect suspicious network activity that might indicate the presence of malware using Domain Generation Algorithms (DGA). DGAs are used by malware to generate a large number of domain names in hopes of connecting to a command and control (C2) server. Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes DNS activity logs from Windows DNS systems.

  2. Time Frame: It looks at DNS queries made in the last hour.

  3. Domain Analysis:

    • It focuses on the second-level domain (SLD) of queried domains.
    • It checks if the SLD is between 10 and 40 characters long, which is typical for DGA-generated domains.
    • It calculates the ratio of consonants in the SLD. A high ratio (>65%) suggests randomness, as real words usually have a lower consonant ratio.
    • It checks if the SLD contains digits, which is uncommon in legitimate brand names.

  4. Detection Criteria:

    • The query identifies domains that meet the above criteria and have been queried successfully (i.e., they resolved to an IP address).
    • It flags IP addresses or hostnames that have queried more than 10 such suspicious domains within the hour.

  5. Output:

    • It summarizes the number of suspicious domains queried, the total number of queries, and provides a sample of up to 15 domains.
    • It records the first and last time these queries were seen.

  6. Alerting:

    • If the criteria are met, it generates an alert indicating potential DGA activity, including details about the source hostname and IP address, and a sample of the queried domains.

This query helps identify potential malware activity by detecting patterns typical of DGA-generated domains, even if the domains successfully resolve, which might be missed by other detection methods focusing only on failed queries.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressDomainGenerationAlgorithmEmotetQakBotDridexTrickBotCommandAndControl

Operators

agosplitstrlenbetweenextendtostringmatches regexcountoftodoublesummarizedcountcountmake_setminmax

Actions