Esc
DNS Calculation - T1568.003
(ATT&CK® Technique)
Definition
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1568003["DNS Calculation"] --> |produces| OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"]; class T1568003 OffensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";
click T1568003 href "/offensive-technique/attack/T1568.003/"; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; DNSTrafficAnalysis["DNS Traffic Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSTrafficAnalysis["DNS Traffic Analysis"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class DNSTrafficAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSTrafficAnalysis href "/technique/d3f:DNSTrafficAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1568003["DNS Calculation"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DNSAllowlisting["DNS Allowlisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSAllowlisting["DNS Allowlisting"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class DNSAllowlisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSAllowlisting href "/technique/d3f:DNSAllowlisting"; DNSDenylisting["DNS Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSDenylisting["DNS Denylisting"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class DNSDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSDenylisting href "/technique/d3f:DNSDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class ForwardResolutionDomainDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ForwardResolutionDomainDenylisting href "/technique/d3f:ForwardResolutionDomainDenylisting"; ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class ReverseResolutionIPDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ReverseResolutionIPDenylisting href "/technique/d3f:ReverseResolutionIPDenylisting"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1568003["DNS Calculation"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";