T1568.003 Splunk · SPL

Detect DNS Calculation in Splunk

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.003 DNS Calculation
Canonical reference
https://attack.mitre.org/techniques/T1568/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (
    DestinationIp="10.*" OR
    DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR
    DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR
    DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR
    DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR
    DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR
    DestinationIp="172.31.*" OR
    DestinationIp="192.168.*" OR
    DestinationIp="127.*" OR
    DestinationIp="169.254.*"
)
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe")
| where DestinationPort > 4096 AND DestinationPort < 49152
| rex field=DestinationIp "^(?P<oct1>\d{1,3})\.(?P<oct2>\d{1,3})\.(?P<oct3>\d{1,3})\.\d{1,3}$"
| eval oct1=tonumber(oct1), oct2=tonumber(oct2), oct3=tonumber(oct3)
| where isnum(oct1) AND isnum(oct2) AND isnum(oct3)
| eval calc_port_apt12=(oct1*oct2)+oct3
| eval calc_port_variant=oct1*(oct2+oct3)
| eval match_apt12=if(DestinationPort=calc_port_apt12, 1, 0)
| eval match_variant=if(DestinationPort=calc_port_variant, 1, 0)
| eval match_score=match_apt12+match_variant
| where match_score > 0
| eval matched_formula=case(
    match_apt12=1 AND match_variant=1, "Both formulas",
    match_apt12=1, "APT12: (oct1*oct2)+oct3",
    match_variant=1, "Variant: oct1*(oct2+oct3)"
  )
| table _time, host, User, Image, CommandLine, DestinationHostname, DestinationIp, DestinationPort, oct1, oct2, oct3, calc_port_apt12, calc_port_variant, matched_formula, match_score
| sort - _time
high severity medium confidence

Detects DNS Calculation C2 using Sysmon Event ID 3 (Network Connection). Extracts the three significant octets from the destination IP address using rex and applies the documented APT12 formula (port = oct1 × oct2 + oct3) and a secondary variant. Alerts when the actual destination port matches the mathematically derived value, indicating the malware computed its C2 port from a DNS response rather than using a hardcoded value. Excludes RFC1918 address space and common system processes. DestinationHostname field from Sysmon provides DNS resolution context.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3 (Network Connection)Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Applications dynamically negotiating connection ports that happen to match the calculation formula for the server IP they are connecting to
  • Gaming platforms or peer-to-peer applications using mathematically derived port ranges for NAT traversal or connection hole-punching
  • Custom enterprise integration software that uses IP-octet-based port schemes for deterministic service addressing
  • CDN or anycast infrastructure where many different IPs can resolve for a domain, increasing the chance of a coincidental calculation match across the fleet
  • Security testing tools or internal port scanners that sweep ranges overlapping with calculated values during vulnerability assessments
Download portable Sigma rule (.yml)

Other platforms for T1568.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1APT12-Style DNS Calculation Port Derivation (Python)

    Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.

  2. Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.

  3. Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)

    Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.

  4. Test 4DNS Calculation C2 Port Derivation (Bash/Linux)

    Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.002Domain Generation Algorithms

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1071.004DNST1071Application Layer ProtocolT1573.001Symmetric CryptographyT1132.001Standard EncodingT1205.002Socket FiltersT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections