T1568.003 Google Chronicle · YARA-L

Detect DNS Calculation in Google Chronicle

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.003 DNS Calculation
Canonical reference
https://attack.mitre.org/techniques/T1568/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1568_003_DNS_Calculation_C2 {
  meta:
    author = "df00tech Argus"
    description = "Detects outbound C2 connections where destination port matches APT12-style DNS calculation formula derived from destination IP octets (T1568.003)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1568.003"
    reference = "https://attack.mitre.org/techniques/T1568/003/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    // Filter public IPs — exclude RFC1918 and loopback
    not re.regex($e.target.ip, `^10\.`) and
    not re.regex($e.target.ip, `^172\.(1[6-9]|2[0-9]|3[0-1])\.`) and
    not re.regex($e.target.ip, `^192\.168\.`) and
    not re.regex($e.target.ip, `^127\.`) and
    not re.regex($e.target.ip, `^169\.254\.`) and
    $e.target.ip != ""
    // Extract octets using regex
    re.capture($e.target.ip, `^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.`) = $oct_raw
    // Port range
    $e.target.port >= 4096
    $e.target.port <= 49151
    // Exclude noisy legitimate ports
    not $e.target.port in (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017)
    // Exclude high-noise system processes
    not $e.principal.process.file.full_path in (
      "C:\\Windows\\System32\\svchost.exe",
      "C:\\Windows\\System32\\lsass.exe",
      "C:\\Windows\\System32\\services.exe",
      "C:\\Windows\\System32\\wininit.exe"
    )
    // Compute oct1, oct2, oct3 using strings.coerce_to_int on captured groups
    // Chronicle YARA-L: use re.capture for each octet separately
    re.capture($e.target.ip, `^(\d{1,3})\.`) = $oct1_str
    re.capture($e.target.ip, `^\d{1,3}\.(\d{1,3})\.`) = $oct2_str
    re.capture($e.target.ip, `^\d{1,3}\.\d{1,3}\.(\d{1,3})\.`) = $oct3_str
    // Coerce to integers
    $oct1 = math.to_float($oct1_str)
    $oct2 = math.to_float($oct2_str)
    $oct3 = math.to_float($oct3_str)
    // Calculate formulas
    $calc_apt12 = ($oct1 * $oct2) + $oct3
    $calc_variant = $oct1 * ($oct2 + $oct3)
    // Match port to either formula
    ($e.target.port = $calc_apt12 or $e.target.port = $calc_variant)

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting the APT12 DNS Calculation C2 technique (T1568.003). The rule matches outbound NETWORK_CONNECTION events to public IPs where the target port equals either (oct1*oct2)+oct3 or oct1*(oct2+oct3), computed from the three most significant octets of the destination IP. RFC-1918, loopback, and link-local ranges are excluded via regex. Common noise processes and frequently used high ports are suppressed to reduce false positive volume.

Data Sources

Google Chronicle UDM — Endpoint sensor (CrowdStrike, Carbon Black, SentinelOne via Chronicle ingestion)Chronicle SIEM — Windows Sysmon Event ID 3 via forwarderChronicle UDM network connection events

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives & Tuning

  • Enterprise monitoring agents (e.g., Datadog, Dynatrace) connecting to cloud telemetry endpoints on ephemeral ports where the CDN IP structure incidentally satisfies the formula.
  • Peer-to-peer or torrent applications that negotiate dynamic listener ports based on tracker responses, producing sporadic formula matches.
  • Development and test environments where internal tools communicate on dynamically assigned ports that happen to match the calculation for a given destination IP.
Download portable Sigma rule (.yml)

Other platforms for T1568.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1APT12-Style DNS Calculation Port Derivation (Python)

    Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.

  2. Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.

  3. Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)

    Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.

  4. Test 4DNS Calculation C2 Port Derivation (Bash/Linux)

    Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.002Domain Generation Algorithms

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1071.004DNST1071Application Layer ProtocolT1573.001Symmetric CryptographyT1132.001Standard EncodingT1205.002Socket FiltersT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections