Share via

Microsoft servers generating DGA alerts

Anonymous
2024-02-23T15:38:37+00:00

We have multiple DGA alerts generated by servers windows 2012. These are configured DCs and we are seeing randomly generated domains with added suffix.

After research we got this article https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/dns-requests-random-network-properties-change?source=docs

What pattern and how these get generated in the servers? any clue is helpful to isolate these alerts.

*** Move from Windows / Windows 10 / Security and privacy ***

Windows Server Networking Network connectivity and file sharing

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-26T07:43:56+00:00

    Hello,

    DGA is a technique used by malware to generate random domain names to avoid detection and defense. In Windows Server, DGA alerts are typically detected by DNS servers. The mode and manner in which DGA is generated in Windows Server may vary with different malware. However, some common patterns include randomly generated domain name suffixes, generating domain names using random characters and numbers, etc.

    To isolate these alerts, you can take the following actions:

    1. Update your antivirus software and run a full scan to detect any malware.
    2. Make sure your Windows Server 2012 has the latest security updates and patches installed.
    3. Check your DNS server configurations to ensure they comply with best practices and only allow access to authorized users

    Regards,

    Zunhui

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-03-04T16:50:11+00:00

    Thank you.

    These DGA are commonly generated by windows OS to test network connection. If you see the document I shared it has details.

    I wanted to know how windows doing it.

    0 comments
  3. Anonymous
    2024-03-10T12:22:11+00:00

    DGA is a technique used to generate large numbers of random domain names that can be used for malware communication. In the Windows operating system, DGA can be implemented by writing specific programs or scripts. These programs or scripts can use a pseudo-random number generator to generate domain names and then match them to IP addresses associated with the malware. This way, the malware can communicate with the control server through these random domain names, thus avoiding detection and blocking.

    0 comments
  4. Anonymous
    2024-03-11T00:29:39+00:00

    Hello

    Thank you again for the reply.

    If you read this article you get a point

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/dns-requests-random-network-properties-change?source=docs

    Operating system itself generating random domains to test network functionality.

    It is not real DGA. BTW i am a security engineer.

    We have tested the above situation in windows 2012 and 2019 operating systems.

    When we restart network service or reboot server. It is generating randomly created domain name.

    0 comments