T1568.003 IBM QRadar · QRadar

Detect DNS Calculation in IBM QRadar

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.003 DNS Calculation
Canonical reference
https://attack.mitre.org/techniques/T1568/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  "ProcessPath" AS process_path,
  LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) AS oct1,
  LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS oct2,
  LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS oct3,
  (LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) * LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1))) + LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) AS calc_port_apt12,
  LONG(REGEXP_SUBSTR(destinationip, '^(\d{1,3})\.', 1, 1, '', 1)) * (LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1)) + LONG(REGEXP_SUBSTR(destinationip, '^\d{1,3}\.\d{1,3}\.(\d{1,3})\.', 1, 1, '', 1))) AS calc_port_variant
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 225, 352)  -- Sysmon / Windows Security / Endpoint sources
  AND QIDNAME(qid) ILIKE '%network connect%'
  AND destinationport BETWEEN 4096 AND 49151
  AND destinationport NOT IN (8080, 8443, 8000, 8888, 9090, 9200, 9300, 9418, 27017, 27018, 28017)
  AND destinationip NOT ILIKE '10.%'
  AND destinationip NOT ILIKE '172.16.%' AND destinationip NOT ILIKE '172.17.%'
  AND destinationip NOT ILIKE '172.18.%' AND destinationip NOT ILIKE '172.19.%'
  AND destinationip NOT ILIKE '172.20.%' AND destinationip NOT ILIKE '172.21.%'
  AND destinationip NOT ILIKE '172.22.%' AND destinationip NOT ILIKE '172.23.%'
  AND destinationip NOT ILIKE '172.24.%' AND destinationip NOT ILIKE '172.25.%'
  AND destinationip NOT ILIKE '172.26.%' AND destinationip NOT ILIKE '172.27.%'
  AND destinationip NOT ILIKE '172.28.%' AND destinationip NOT ILIKE '172.29.%'
  AND destinationip NOT ILIKE '172.30.%' AND destinationip NOT ILIKE '172.31.%'
  AND destinationip NOT ILIKE '192.168.%'
  AND destinationip NOT ILIKE '127.%'
  AND destinationip NOT ILIKE '169.254.%'
  AND destinationip IS NOT NULL
HAVING
  destinationport = calc_port_apt12
  OR destinationport = calc_port_variant
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL rule detecting outbound connections where the destination port equals a mathematical calculation derived from the destination IP octets, indicative of APT12-style DNS Calculation C2 (T1568.003). Parses the three most significant octets via REGEXP_SUBSTR, computes both the APT12 formula ((oct1*oct2)+oct3) and the variant (oct1*(oct2+oct3)), and filters events where the actual destination port matches either value. RFC-1918 and loopback ranges are excluded. Applies to Sysmon network events and endpoint telemetry log sources.

Data Sources

IBM QRadar SIEM — Windows Sysmon Event ID 3 via WinCollect or syslogQRadar Endpoint Detection sourceNetwork flow data (QFlow)

Required Tables

events (QRadar normalized event store)

False Positives & Tuning

  • Custom enterprise middleware applications that bind to dynamically assigned ports whose calculation incidentally matches the formula for a given upstream server IP.
  • Automated penetration testing frameworks (Metasploit, Cobalt Strike in sanctioned exercises) that may use port schemes resembling calculated values.
  • High-entropy CDN IP ranges where some fraction of IP-to-port combinations statistically satisfy the formula by coincidence.
Download portable Sigma rule (.yml)

Other platforms for T1568.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1APT12-Style DNS Calculation Port Derivation (Python)

    Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.

  2. Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.

  3. Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)

    Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.

  4. Test 4DNS Calculation C2 Port Derivation (Bash/Linux)

    Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.002Domain Generation Algorithms

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1071.004DNST1071Application Layer ProtocolT1573.001Symmetric CryptographyT1132.001Standard EncodingT1205.002Socket FiltersT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections