Query Details

DGA — High-Entropy Subdomain Pattern (Domain Generation Algorithm)

04 DNS DGA High Entropy

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| extend SLD = tostring(split(DnsQuery, ".")[-2])
| where strlen(SLD) between (10 .. 40)
| extend
    SLDLen         = strlen(SLD),
    HasDigits      = SLD matches regex @"\d",
    ConsonantCount = countof(SLD, "b") + countof(SLD, "c") + countof(SLD, "d")
                   + countof(SLD, "f") + countof(SLD, "g") + countof(SLD, "h")
                   + countof(SLD, "j") + countof(SLD, "k") + countof(SLD, "l")
                   + countof(SLD, "m") + countof(SLD, "n") + countof(SLD, "p")
                   + countof(SLD, "q") + countof(SLD, "r") + countof(SLD, "s")
                   + countof(SLD, "t") + countof(SLD, "v") + countof(SLD, "w")
                   + countof(SLD, "x") + countof(SLD, "y") + countof(SLD, "z")
| extend ConsonantRatio = todouble(ConsonantCount) / todouble(SLDLen)
| where ConsonantRatio > 0.65
     and HasDigits == true
| summarize
    DgaLikeDomains = dcount(DnsQuery),
    QueryCount     = count(),
    SampleDomains  = make_set(DnsQuery, 15),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| where DgaLikeDomains > 10

Explanation

This query is designed to detect suspicious network activity that might indicate the presence of malware using Domain Generation Algorithms (DGA). DGAs are used by malware to generate a large number of domain names in hopes of connecting to a command and control (C2) server. Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes DNS activity logs from Windows DNS systems.

  2. Time Frame: It looks at DNS queries made in the last hour.

  3. Domain Analysis:

    • It focuses on the second-level domain (SLD) of queried domains.
    • It checks if the SLD is between 10 and 40 characters long, which is typical for DGA-generated domains.
    • It calculates the ratio of consonants in the SLD. A high ratio (>65%) suggests randomness, as real words usually have a lower consonant ratio.
    • It checks if the SLD contains digits, which is uncommon in legitimate brand names.
  4. Detection Criteria:

    • The query identifies domains that meet the above criteria and have been queried successfully (i.e., they resolved to an IP address).
    • It flags IP addresses or hostnames that have queried more than 10 such suspicious domains within the hour.
  5. Output:

    • It summarizes the number of suspicious domains queried, the total number of queries, and provides a sample of up to 15 domains.
    • It records the first and last time these queries were seen.
  6. Alerting:

    • If the criteria are met, it generates an alert indicating potential DGA activity, including details about the source hostname and IP address, and a sample of the queried domains.

This query helps identify potential malware activity by detecting patterns typical of DGA-generated domains, even if the domains successfully resolve, which might be missed by other detection methods focusing only on failed queries.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressDomainGenerationAlgorithmEmotetQakBotDridexTrickBotCommandAndControl

Operators

agosplitstrlenbetweenextendtostringmatches regexcountoftodoublesummarizedcountcountmake_setminmax

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub