T1568.003: DNS Calculation — MITRE ATT&CK Technique

Description

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)

One implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)

Platforms

ESXiLinuxmacOSWindows

Threat Groups (1)

ID	Group	Context
G0005	APT12	[APT12](https://attack.mitre.org/groups/G0005) has used multiple variants of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) includin...

References

Frequently Asked Questions

What is T1568.003 (DNS Calculation)?

T1568.003 is a MITRE ATT&CK technique named 'DNS Calculation'. It belongs to the Command and Control tactic(s). Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or t...

How can T1568.003 be detected?

Detection of T1568.003 (DNS Calculation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1568.003?

Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.

Which threat groups use T1568.003?

Known threat groups using T1568.003 include: APT12.