Skip to content

T1568.003 DNS Calculation

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.1

One implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.123

Item Value
ID T1568.003
Sub-techniques T1568.001, T1568.002, T1568.003
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 11 March 2020
Last Modified 27 March 2020

Procedure Examples

ID Name Description
G0005 APT12 APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.1


ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content