Potential Dead Drop Resolvers
Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
Sigma rule (View on GitHub)
1title: Potential Dead Drop Resolvers
2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
3status: test
4description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
5references:
6 - https://content.fireeye.com/apt-41/rpt-apt41
7 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
8 - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
9author: Sorina Ionescu
10date: 2022/08/17
11modified: 2023/04/18
12tags:
13 - attack.command_and_control
14 - attack.t1102
15 - attack.t1102.001
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Initiated: 'true'
22 DestinationHostname|endswith:
23 - '.cloudflare.com'
24 - '.githubusercontent.com'
25 - 'cdn.discordapp.com'
26 - 'docs.google.com'
27 - 'facebook.com'
28 - 'feeds.rapidfeeds.com'
29 - 'fotolog.com'
30 - 'imgur.com'
31 - 'livejournal.com'
32 - 'paste.ee'
33 - 'pastebin.com'
34 - 'pastebin.pl'
35 - 'pastetext.net'
36 - 'reddit.com'
37 - 'steamcommunity.com'
38 - 'technet.microsoft.com'
39 - 'twitter.com'
40 - 'youtube.com'
41 filter_main_brave:
42 Image|endswith: '\brave.exe'
43 filter_main_chrome:
44 Image:
45 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
46 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
47 filter_main_firefox:
48 Image:
49 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
50 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
51 filter_main_ie:
52 Image:
53 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
54 - 'C:\Program Files\Internet Explorer\iexplore.exe'
55 filter_main_maxthon:
56 Image|endswith: '\maxthon.exe'
57 filter_main_edge_1:
58 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
59 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
60 - Image:
61 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
62 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
63 filter_main_edge_2:
64 Image|startswith:
65 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
66 - 'C:\Program Files\Microsoft\EdgeCore\'
67 Image|endswith:
68 - '\msedge.exe'
69 - '\msedgewebview2.exe'
70 filter_main_opera:
71 Image|endswith: '\opera.exe'
72 filter_main_safari:
73 Image|endswith: '\safari.exe'
74 filter_main_seamonkey:
75 Image|endswith: '\seamonkey.exe'
76 filter_main_vivaldi:
77 Image|endswith: '\vivaldi.exe'
78 filter_main_whale:
79 Image|endswith: '\whale.exe'
80 filter_optional_defender:
81 Image|endswith:
82 - '\MsMpEng.exe' #Microsoft Defender executable
83 - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable
84 filter_optional_prtg:
85 Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
86 filter_optional_qlik:
87 Image|endswith: '\Engine.exe' #Process from qlik.com app
88 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
89falsepositives:
90 - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
91level: high