DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1)
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
One implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1) | Attack Pattern | Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) | Attack Pattern | 1 |