Detect DNS Calculation in Elastic Security
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1568 Dynamic Resolution
- Sub-technique
- T1568.003 DNS Calculation
- Canonical reference
- https://attack.mitre.org/techniques/T1568/003/
Elastic Detection Query
network where event.type == "connection" and
not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*", "169.254.*") and
destination.port >= 4096 and destination.port <= 49151 and
not destination.port in (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017) and
not process.name in ("svchost.exe", "lsass.exe", "services.exe", "wininit.exe") and
destination.ip != null and destination.ip != "" and
/* EQL does not support inline math on parsed fields in a single expression;
use a script-based rule in Kibana or filter candidates here then enrich via
a runtime field / ingest pipeline that pre-computes calc_port_apt12 and
calc_port_variant and stores them as destination.calculated_port_apt12 /
destination.calculated_port_variant */
(
destination.calculated_port_apt12 == destination.port or
destination.calculated_port_variant == destination.port
)Detects outbound network connections where the destination port matches a mathematical derivation from the destination IP address octets, consistent with the APT12/Numbered Panda DNS Calculation technique (T1568.003). The APT12 formula is (octet1 * octet2) + octet3; the variant is octet1 * (octet2 + octet3). Requires an ingest pipeline or runtime field that pre-computes these values and stores them as destination.calculated_port_apt12 and destination.calculated_port_variant on network events. Connections to private, loopback, and link-local ranges are excluded. Common noise processes (svchost, lsass) are suppressed.
Data Sources
Required Tables
False Positives & Tuning
- Proprietary or legacy applications that use non-standard port allocation schemes derived from configuration data that happens to match the formula.
- Network testing tools and port scanners that iterate across calculated port ranges and incidentally match the formula on specific IPs.
- CDN or cloud provider endpoints whose IP octets numerically satisfy the formula for a commonly used dynamic port (e.g., ephemeral RPC ports).
Other platforms for T1568.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1APT12-Style DNS Calculation Port Derivation (Python)
Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.
- Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.
- Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)
Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.
- Test 4DNS Calculation C2 Port Derivation (Bash/Linux)
Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.
References (7)
- https://attack.mitre.org/techniques/T1568/003/
- http://www.crowdstrike.com/blog/whois-numbered-panda/
- https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
- https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1568.003/T1568.003.md
Unlock Pro Content
Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.