title: DNS Calculation (T1568.003)
id: df00tech-t1568-003
status: experimental
description: "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. An IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. The most documented implementation (attributed to APT12/Numbered Panda) multiplies the first two octets of a DNS-resolved IP address and adds the third octet to derive a dynamic C2 port number. This allows the malware to communicate on a port that changes based on the DNS response, making static firewall rules and port-based filtering ineffective."
references:
  - https://attack.mitre.org/techniques/T1568/003/
  - https://df00tech.com/detections/T1568.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1568.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Applications connecting to high-numbered ports that coincidentally match an octet calculation — mathematically possible for any connection to a port in the 4096-49151 range, though probability is low for a specific formula match"
  - Custom enterprise middleware or internal tools that use IP-derived port schemes for service discovery or load balancing configuration
  - "VPN concentrators, STUN/TURN servers, or media relay infrastructure using dynamic port allocation that may produce coincidental calculation matches"
  - "Peer-to-peer applications (Skype for Business, legacy Teams, BitTorrent clients) that negotiate high ports dynamically in a range overlapping with calculated values"
  - Development and testing environments where engineers have implemented custom port-derivation schemes for internal APIs or microservices
level: high