T1568.003SubTechniquecommand-and-controlagent-callable

T1568.003DNS Calculation

Sub-technique of T1568

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda) One implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)

ATT&CK tactics· 1

Command And Control

References

  1. https://attack.mitre.org/techniques/T1568/003
  2. http://www.crowdstrike.com/blog/whois-numbered-panda/
  3. https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
  4. https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1568.003: DNS Calculation | SQUR Knowledge Base