T1568.003 DNS Calculation
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.1
One implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.123
| Item | Value |
|---|---|
| ID | T1568.003 |
| Sub-techniques | T1568.001, T1568.002, T1568.003 |
| Tactics | TA0011 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 11 March 2020 |
| Last Modified | 27 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0005 | APT12 | APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016. ↩↩↩
-
Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014. ↩
-
Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017. ↩