T1568.003

DNS Calculation

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

Microsoft Sentinel / Defender

kusto

// T1568.003 DNS Calculation — Detect C2 connections where destination port matches
// a mathematical derivation from the destination IP's octets.
// Primary formula (APT12): port = (octet1 * octet2) + octet3
// Secondary variant:       port = octet1 * (octet2 + octet3)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where isnotempty(RemoteIP)
| where RemoteIPType == "Public"
// Focus on non-trivial port range where calculations typically land
| where RemotePort between (4096 .. 49151)
// Exclude common legitimate high ports to reduce noise
| where RemotePort !in (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017)
// Parse IP octets from destination address
| extend IP_Parts = split(RemoteIP, ".")
| extend Oct1 = toint(IP_Parts[0])
| extend Oct2 = toint(IP_Parts[1])
| extend Oct3 = toint(IP_Parts[2])
// Apply known calculation formulas
| extend CalcPort_APT12 = (Oct1 * Oct2) + Oct3
| extend CalcPort_Variant = Oct1 * (Oct2 + Oct3)
// Score matches
| extend MatchScore = toint(RemotePort == CalcPort_APT12) + toint(RemotePort == CalcPort_Variant)
| where MatchScore > 0
| extend MatchedFormula = case(
    RemotePort == CalcPort_APT12 and RemotePort == CalcPort_Variant, "Both formulas",
    RemotePort == CalcPort_APT12, "APT12: (oct1*oct2)+oct3",
    "Variant: oct1*(oct2+oct3)"
  )
// Deprioritize noisy system processes
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe", "wininit.exe")
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    InitiatingProcessId,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    Oct1, Oct2, Oct3,
    CalcPort_APT12,
    CalcPort_Variant,
    MatchedFormula,
    MatchScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Applications connecting to high-numbered ports that coincidentally match an octet calculation — mathematically possible for any connection to a port in the 4096-49151 range, though probability is low for a specific formula match
Custom enterprise middleware or internal tools that use IP-derived port schemes for service discovery or load balancing configuration
VPN concentrators, STUN/TURN servers, or media relay infrastructure using dynamic port allocation that may produce coincidental calculation matches
Peer-to-peer applications (Skype for Business, legacy Teams, BitTorrent clients) that negotiate high ports dynamically in a range overlapping with calculated values
Development and testing environments where engineers have implemented custom port-derivation schemes for internal APIs or microservices

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (
    DestinationIp="10.*" OR
    DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR
    DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR
    DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR
    DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR
    DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR
    DestinationIp="172.31.*" OR
    DestinationIp="192.168.*" OR
    DestinationIp="127.*" OR
    DestinationIp="169.254.*"
)
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe")
| where DestinationPort > 4096 AND DestinationPort < 49152
| rex field=DestinationIp "^(?P<oct1>\d{1,3})\.(?P<oct2>\d{1,3})\.(?P<oct3>\d{1,3})\.\d{1,3}$"
| eval oct1=tonumber(oct1), oct2=tonumber(oct2), oct3=tonumber(oct3)
| where isnum(oct1) AND isnum(oct2) AND isnum(oct3)
| eval calc_port_apt12=(oct1*oct2)+oct3
| eval calc_port_variant=oct1*(oct2+oct3)
| eval match_apt12=if(DestinationPort=calc_port_apt12, 1, 0)
| eval match_variant=if(DestinationPort=calc_port_variant, 1, 0)
| eval match_score=match_apt12+match_variant
| where match_score > 0
| eval matched_formula=case(
    match_apt12=1 AND match_variant=1, "Both formulas",
    match_apt12=1, "APT12: (oct1*oct2)+oct3",
    match_variant=1, "Variant: oct1*(oct2+oct3)"
  )
| table _time, host, User, Image, CommandLine, DestinationHostname, DestinationIp, DestinationPort, oct1, oct2, oct3, calc_port_apt12, calc_port_variant, matched_formula, match_score
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3 (Network Connection) Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Applications dynamically negotiating connection ports that happen to match the calculation formula for the server IP they are connecting to
Gaming platforms or peer-to-peer applications using mathematically derived port ranges for NAT traversal or connection hole-punching
Custom enterprise integration software that uses IP-octet-based port schemes for deterministic service addressing
CDN or anycast infrastructure where many different IPs can resolve for a domain, increasing the chance of a coincidental calculation match across the fleet
Security testing tools or internal port scanners that sweep ranges overlapping with calculated values during vulnerability assessments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  "ProcessPath" AS process_path,
  LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) AS oct1,
  LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS oct2,
  LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS oct3,
  (LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) * LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1))) + LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS calc_port_apt12,
  LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) * (LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) + LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1))) AS calc_port_variant
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 225, 352)  -- Sysmon / Windows Security / Endpoint sources
  AND QIDNAME(qid) ILIKE '%network connect%'
  AND destinationport BETWEEN 4096 AND 49151
  AND destinationport NOT IN (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017)
  AND destinationip NOT ILIKE '10.%'
  AND destinationip NOT ILIKE '172.16.%' AND destinationip NOT ILIKE '172.17.%'
  AND destinationip NOT ILIKE '172.18.%' AND destinationip NOT ILIKE '172.19.%'
  AND destinationip NOT ILIKE '172.20.%' AND destinationip NOT ILIKE '172.21.%'
  AND destinationip NOT ILIKE '172.22.%' AND destinationip NOT ILIKE '172.23.%'
  AND destinationip NOT ILIKE '172.24.%' AND destinationip NOT ILIKE '172.25.%'
  AND destinationip NOT ILIKE '172.26.%' AND destinationip NOT ILIKE '172.27.%'
  AND destinationip NOT ILIKE '172.28.%' AND destinationip NOT ILIKE '172.29.%'
  AND destinationip NOT ILIKE '172.30.%' AND destinationip NOT ILIKE '172.31.%'
  AND destinationip NOT ILIKE '192.168.%'
  AND destinationip NOT ILIKE '127.%'
  AND destinationip NOT ILIKE '169.254.%'
  AND destinationip IS NOT NULL
HAVING
  destinationport = calc_port_apt12
  OR destinationport = calc_port_variant
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM — Windows Sysmon Event ID 3 via WinCollect or syslog QRadar Endpoint Detection source Network flow data (QFlow)

Required Tables

events (QRadar normalized event store)

False Positives

Custom enterprise middleware applications that bind to dynamically assigned ports whose calculation incidentally matches the formula for a given upstream server IP.
Automated penetration testing frameworks (Metasploit, Cobalt Strike in sanctioned exercises) that may use port schemes resembling calculated values.
High-entropy CDN IP ranges where some fraction of IP-to-port combinations statistically satisfy the formula by coincidence.

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*network*
| where EventID = "3" OR EventCode = "3" OR metadata_deviceEventId = "sysmon:3"
| parse field=DestinationIp "^(?<oct1>\d{1,3})\.(?<oct2>\d{1,3})\.(?<oct3>\d{1,3})\." nodrop
// Exclude private and loopback ranges
| where !DestinationIp matches "10.*"
| where !DestinationIp matches "172.16.*" AND !DestinationIp matches "172.17.*"
| where !DestinationIp matches "172.18.*" AND !DestinationIp matches "172.19.*"
| where !DestinationIp matches "172.20.*" AND !DestinationIp matches "172.21.*"
| where !DestinationIp matches "172.22.*" AND !DestinationIp matches "172.23.*"
| where !DestinationIp matches "172.24.*" AND !DestinationIp matches "172.25.*"
| where !DestinationIp matches "172.26.*" AND !DestinationIp matches "172.27.*"
| where !DestinationIp matches "172.28.*" AND !DestinationIp matches "172.29.*"
| where !DestinationIp matches "172.30.*" AND !DestinationIp matches "172.31.*"
| where !DestinationIp matches "192.168.*"
| where !DestinationIp matches "127.*"
| where !DestinationIp matches "169.254.*"
// Port range filter
| num(DestinationPort) as dst_port
| where dst_port >= 4096 AND dst_port <= 49151
| where dst_port != 8080 AND dst_port != 8443 AND dst_port != 8000
  AND dst_port != 8888 AND dst_port != 9090 AND dst_port != 9200
  AND dst_port != 9300 AND dst_port != 9418 AND dst_port != 27017
  AND dst_port != 27018 AND dst_port != 28017
// Parse octet values
| num(oct1) as o1
| num(oct2) as o2
| num(oct3) as o3
| where !isNull(o1) AND !isNull(o2) AND !isNull(o3)
// Compute formulas
| eval calc_apt12 = (o1 * o2) + o3
| eval calc_variant = o1 * (o2 + o3)
// Match detection
| where dst_port = calc_apt12 OR dst_port = calc_variant
| eval matched_formula = if(dst_port = calc_apt12 AND dst_port = calc_variant, "Both formulas",
    if(dst_port = calc_apt12, "APT12: (oct1*oct2)+oct3", "Variant: oct1*(oct2+oct3)"))
// Exclude noisy system processes
| where !Image matches "*\\svchost.exe"
  AND !Image matches "*\\lsass.exe"
  AND !Image matches "*\\services.exe"
| fields _messageTime, Computer, User, Image, CommandLine, DestinationHostname,
    DestinationIp, dst_port, o1, o2, o3, calc_apt12, calc_variant, matched_formula
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector — Windows Sysmon via Local Windows Event Log source Sumo Logic Cloud-to-Cloud endpoint telemetry Sumo Logic Security Event source (XmlWinEventLog)

Required Tables

Sumo Logic partition containing Sysmon Event ID 3 data

False Positives

Internal security scanners or vulnerability assessment tools that establish connections to public IPs on port ranges that coincidentally satisfy the formula.
VPN or tunnel clients that negotiate dynamic port allocations based on server-returned configuration data that numerically matches the formula.
Software update mechanisms in commercial products that connect to CDN endpoints whose IP structure satisfies the calculation for the negotiated connection port.

Google Chronicle / SecOps

yaral

rule T1568_003_DNS_Calculation_C2 {
  meta:
    author = "df00tech Argus"
    description = "Detects outbound C2 connections where destination port matches APT12-style DNS calculation formula derived from destination IP octets (T1568.003)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1568.003"
    reference = "https://attack.mitre.org/techniques/T1568/003/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    // Filter public IPs — exclude RFC1918 and loopback
    not re.regex($e.target.ip, `^10\.`) and
    not re.regex($e.target.ip, `^172\.(1[6-9]|2[0-9]|3[0-1])\.`) and
    not re.regex($e.target.ip, `^192\.168\.`) and
    not re.regex($e.target.ip, `^127\.`) and
    not re.regex($e.target.ip, `^169\.254\.`) and
    $e.target.ip != ""
    // Extract octets using regex
    re.capture($e.target.ip, `^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.`) = $oct_raw
    // Port range
    $e.target.port >= 4096
    $e.target.port <= 49151
    // Exclude noisy legitimate ports
    not $e.target.port in (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017)
    // Exclude high-noise system processes
    not $e.principal.process.file.full_path in (
      "C:\\Windows\\System32\\svchost.exe",
      "C:\\Windows\\System32\\lsass.exe",
      "C:\\Windows\\System32\\services.exe",
      "C:\\Windows\\System32\\wininit.exe"
    )
    // Compute oct1, oct2, oct3 using strings.coerce_to_int on captured groups
    // Chronicle YARA-L: use re.capture for each octet separately
    re.capture($e.target.ip, `^(\d{1,3})\.`) = $oct1_str
    re.capture($e.target.ip, `^\d{1,3}\.(\d{1,3})\.`) = $oct2_str
    re.capture($e.target.ip, `^\d{1,3}\.\d{1,3}\.(\d{1,3})\.`) = $oct3_str
    // Coerce to integers
    $oct1 = math.to_float($oct1_str)
    $oct2 = math.to_float($oct2_str)
    $oct3 = math.to_float($oct3_str)
    // Calculate formulas
    $calc_apt12 = ($oct1 * $oct2) + $oct3
    $calc_variant = $oct1 * ($oct2 + $oct3)
    // Match port to either formula
    ($e.target.port = $calc_apt12 or $e.target.port = $calc_variant)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM — Endpoint sensor (CrowdStrike, Carbon Black, SentinelOne via Chronicle ingestion) Chronicle SIEM — Windows Sysmon Event ID 3 via forwarder Chronicle UDM network connection events

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives

Enterprise monitoring agents (e.g., Datadog, Dynatrace) connecting to cloud telemetry endpoints on ephemeral ports where the CDN IP structure incidentally satisfies the formula.
Peer-to-peer or torrent applications that negotiate dynamic listener ports based on tracker responses, producing sporadic formula matches.
Development and test environments where internal tools communicate on dynamically assigned ports that happen to match the calculation for a given destination IP.

CrowdStrike LogScale (CQL)

cql

// T1568.003 — DNS Calculation C2 Detection
// Requires NetworkConnectIP4 events from Falcon sensor
#event_simpleName=NetworkConnectIP4
| RemotePort >= 4096 RemotePort <= 49151
// Exclude common legitimate high ports
| RemotePort != 8080 RemotePort != 8443 RemotePort != 8000
  RemotePort != 8888 RemotePort != 9090 RemotePort != 9200
  RemotePort != 9300 RemotePort != 9418 RemotePort != 27017
// Exclude RFC1918 and loopback — filter on RemoteAddressIP4
| !cidr(RemoteAddressIP4, "10.0.0.0/8")
| !cidr(RemoteAddressIP4, "172.16.0.0/12")
| !cidr(RemoteAddressIP4, "192.168.0.0/16")
| !cidr(RemoteAddressIP4, "127.0.0.0/8")
| !cidr(RemoteAddressIP4, "169.254.0.0/16")
// Exclude noisy system processes
| ImageFileName != /(?i)(svchost|lsass|services|wininit)\.exe$/
// Parse IP octets using regex
| regex("^(?P<oct1>\\d{1,3})\\.(?P<oct2>\\d{1,3})\\.(?P<oct3>\\d{1,3})\\.", field=RemoteAddressIP4)
// Coerce to numbers
| o1 := toNumber(oct1)
| o2 := toNumber(oct2)
| o3 := toNumber(oct3)
// Compute APT12 formula and variant
| calc_apt12 := (o1 * o2) + o3
| calc_variant := o1 * (o2 + o3)
// Filter: port must match at least one formula
| RemotePort = calc_apt12 OR RemotePort = calc_variant
// Label matched formula
| matched_formula := case {
    RemotePort = calc_apt12 AND RemotePort = calc_variant => "Both formulas",
    RemotePort = calc_apt12 => "APT12: (oct1*oct2)+oct3",
    * => "Variant: oct1*(oct2+oct3)"
  }
// Output
| table([ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort,
         oct1, oct2, oct3, calc_apt12, calc_variant, matched_formula, @timestamp])
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR — NetworkConnectIP4 events Falcon sensor process telemetry (ProcessRollup2 for process context correlation)

Required Tables

#event_simpleName=NetworkConnectIP4 #event_simpleName=ProcessRollup2 (for enrichment join on TargetProcessId)

False Positives

Custom in-house applications using IP-derived port allocation (e.g., load balancer health check agents that compute ports from upstream node IPs).
Gaming or P2P applications that establish connections to rendezvous servers on ports derived from lobby session parameters that resolve to matching IP octet calculations.
Security research or red team infrastructure deliberately constructed to validate this detection, where known-safe IPs satisfy the formula on test ports.

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

DNS Calculation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections