T1568.003 CrowdStrike LogScale · LogScale

Detect DNS Calculation in CrowdStrike LogScale

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.003 DNS Calculation
Canonical reference
https://attack.mitre.org/techniques/T1568/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1568.003 — DNS Calculation C2 Detection
// Requires NetworkConnectIP4 events from Falcon sensor
#event_simpleName=NetworkConnectIP4
| RemotePort >= 4096 RemotePort <= 49151
// Exclude common legitimate high ports
| RemotePort != 8080 RemotePort != 8443 RemotePort != 8000
  RemotePort != 8888 RemotePort != 9090 RemotePort != 9200
  RemotePort != 9300 RemotePort != 9418 RemotePort != 27017
// Exclude RFC1918 and loopback — filter on RemoteAddressIP4
| !cidr(RemoteAddressIP4, "10.0.0.0/8")
| !cidr(RemoteAddressIP4, "172.16.0.0/12")
| !cidr(RemoteAddressIP4, "192.168.0.0/16")
| !cidr(RemoteAddressIP4, "127.0.0.0/8")
| !cidr(RemoteAddressIP4, "169.254.0.0/16")
// Exclude noisy system processes
| ImageFileName != /(?i)(svchost|lsass|services|wininit)\.exe$/
// Parse IP octets using regex
| regex("^(?P<oct1>\\d{1,3})\\.(?P<oct2>\\d{1,3})\\.(?P<oct3>\\d{1,3})\\.", field=RemoteAddressIP4)
// Coerce to numbers
| o1 := toNumber(oct1)
| o2 := toNumber(oct2)
| o3 := toNumber(oct3)
// Compute APT12 formula and variant
| calc_apt12 := (o1 * o2) + o3
| calc_variant := o1 * (o2 + o3)
// Filter: port must match at least one formula
| RemotePort = calc_apt12 OR RemotePort = calc_variant
// Label matched formula
| matched_formula := case {
    RemotePort = calc_apt12 AND RemotePort = calc_variant => "Both formulas",
    RemotePort = calc_apt12 => "APT12: (oct1*oct2)+oct3",
    * => "Variant: oct1*(oct2+oct3)"
  }
// Output
| table([ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort,
         oct1, oct2, oct3, calc_apt12, calc_variant, matched_formula, @timestamp])
| sort(@timestamp, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) CQL query detecting DNS Calculation-based C2 (T1568.003) using NetworkConnectIP4 process telemetry events. IP octets are extracted from the remote address via regex, both the APT12 formula ((oct1*oct2)+oct3) and its variant are computed, and connections are flagged where the actual remote port matches either result. Private and link-local CIDRs are excluded using LogScale cidr() filtering. High-noise system processes are suppressed via regex on ImageFileName.

Data Sources

CrowdStrike Falcon EDR — NetworkConnectIP4 eventsFalcon sensor process telemetry (ProcessRollup2 for process context correlation)

Required Tables

#event_simpleName=NetworkConnectIP4#event_simpleName=ProcessRollup2 (for enrichment join on TargetProcessId)

False Positives & Tuning

  • Custom in-house applications using IP-derived port allocation (e.g., load balancer health check agents that compute ports from upstream node IPs).
  • Gaming or P2P applications that establish connections to rendezvous servers on ports derived from lobby session parameters that resolve to matching IP octet calculations.
  • Security research or red team infrastructure deliberately constructed to validate this detection, where known-safe IPs satisfy the formula on test ports.
Download portable Sigma rule (.yml)

Other platforms for T1568.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1APT12-Style DNS Calculation Port Derivation (Python)

    Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.

  2. Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.

  3. Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)

    Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.

  4. Test 4DNS Calculation C2 Port Derivation (Bash/Linux)

    Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.002Domain Generation Algorithms

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1071.004DNST1071Application Layer ProtocolT1573.001Symmetric CryptographyT1132.001Standard EncodingT1205.002Socket FiltersT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections