T1568.003 Sumo Logic CSE · Sumo

Detect DNS Calculation in Sumo Logic CSE

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.003 DNS Calculation
Canonical reference
https://attack.mitre.org/techniques/T1568/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*network*
| where EventID = "3" OR EventCode = "3" OR metadata_deviceEventId = "sysmon:3"
| parse field=DestinationIp "^(?<oct1>\d{1,3})\.(?<oct2>\d{1,3})\.(?<oct3>\d{1,3})\." nodrop
// Exclude private and loopback ranges
| where !DestinationIp matches "10.*"
| where !DestinationIp matches "172.16.*" AND !DestinationIp matches "172.17.*"
| where !DestinationIp matches "172.18.*" AND !DestinationIp matches "172.19.*"
| where !DestinationIp matches "172.20.*" AND !DestinationIp matches "172.21.*"
| where !DestinationIp matches "172.22.*" AND !DestinationIp matches "172.23.*"
| where !DestinationIp matches "172.24.*" AND !DestinationIp matches "172.25.*"
| where !DestinationIp matches "172.26.*" AND !DestinationIp matches "172.27.*"
| where !DestinationIp matches "172.28.*" AND !DestinationIp matches "172.29.*"
| where !DestinationIp matches "172.30.*" AND !DestinationIp matches "172.31.*"
| where !DestinationIp matches "192.168.*"
| where !DestinationIp matches "127.*"
| where !DestinationIp matches "169.254.*"
// Port range filter
| num(DestinationPort) as dst_port
| where dst_port >= 4096 AND dst_port <= 49151
| where dst_port != 8080 AND dst_port != 8443 AND dst_port != 8000
  AND dst_port != 8888 AND dst_port != 9090 AND dst_port != 9200
  AND dst_port != 9300 AND dst_port != 9418 AND dst_port != 27017
  AND dst_port != 27018 AND dst_port != 28017
// Parse octet values
| num(oct1) as o1
| num(oct2) as o2
| num(oct3) as o3
| where !isNull(o1) AND !isNull(o2) AND !isNull(o3)
// Compute formulas
| eval calc_apt12 = (o1 * o2) + o3
| eval calc_variant = o1 * (o2 + o3)
// Match detection
| where dst_port = calc_apt12 OR dst_port = calc_variant
| eval matched_formula = if(dst_port = calc_apt12 AND dst_port = calc_variant, "Both formulas",
    if(dst_port = calc_apt12, "APT12: (oct1*oct2)+oct3", "Variant: oct1*(oct2+oct3)"))
// Exclude noisy system processes
| where !Image matches "*\\svchost.exe"
  AND !Image matches "*\\lsass.exe"
  AND !Image matches "*\\services.exe"
| fields _messageTime, Computer, User, Image, CommandLine, DestinationHostname,
    DestinationIp, dst_port, o1, o2, o3, calc_apt12, calc_variant, matched_formula
| sort by _messageTime desc
high severity medium confidence

Sumo Logic CIP query detecting DNS Calculation-based C2 (T1568.003) by monitoring Sysmon network connection events (Event ID 3). For each outbound connection to a public IP in the 4096-49151 port range, IP octets are parsed and both APT12 formulas are computed. Events where the actual destination port matches either computed value are surfaced. Private IP ranges, loopback, link-local addresses, and common noise processes are suppressed.

Data Sources

Sumo Logic Installed Collector — Windows Sysmon via Local Windows Event Log sourceSumo Logic Cloud-to-Cloud endpoint telemetrySumo Logic Security Event source (XmlWinEventLog)

Required Tables

Sumo Logic partition containing Sysmon Event ID 3 data

False Positives & Tuning

  • Internal security scanners or vulnerability assessment tools that establish connections to public IPs on port ranges that coincidentally satisfy the formula.
  • VPN or tunnel clients that negotiate dynamic port allocations based on server-returned configuration data that numerically matches the formula.
  • Software update mechanisms in commercial products that connect to CDN endpoints whose IP structure satisfies the calculation for the negotiated connection port.
Download portable Sigma rule (.yml)

Other platforms for T1568.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1APT12-Style DNS Calculation Port Derivation (Python)

    Expected signal: Sysmon Event ID 22 (DNS Query): Image=python3.exe (or python.exe), QueryName=time.windows.com, QueryResults contains the resolved IP. Sysmon Event ID 3 (Network Connection): Image=python3.exe, DestinationIp=<resolved IP>, DestinationPort=<calculated value>. Note: exact port depends on the IP returned by DNS at test time — print output shows the calculated value.

  2. Test 2APT12-Style DNS Calculation Port Derivation (PowerShell)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with command line containing DNS resolution and arithmetic operations. Sysmon Event ID 22 (DNS Query): QueryName=time.windows.com, QueryResults with resolved IP. Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp and DestinationPort matching the calculated value.

  3. Test 3Multi-Hostname DNS Calculation with Domain Fallback Rotation (Python)

    Expected signal: Three Sysmon Event ID 22 entries (one per hostname) from python3.exe. Three Sysmon Event ID 3 entries showing connection attempts to each calculated port. The sequence — multiple DNS queries followed by multiple calculated-port connections — matches the hunting query pattern for DNS query bursts from non-browser processes.

  4. Test 4DNS Calculation C2 Port Derivation (Bash/Linux)

    Expected signal: Linux auditd: syscall records for execve (dig, nc processes), connect syscall with destination IP and calculated port. Syslog: process execution entries. If Sysmon for Linux is deployed: Event ID 22 (DNS Query) for the dig execution, Event ID 3 (Network Connection) for the nc connection attempt with DestinationPort matching the calculated value.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1568.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.001Fast Flux DNST1568.002Domain Generation Algorithms

Related Techniques

T1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1071.004DNST1071Application Layer ProtocolT1573.001Symmetric CryptographyT1132.001Standard EncodingT1205.002Socket FiltersT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections