New Connection Initiated To Potential Dead Drop Resolver Domain
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Sigma rule (View on GitHub)
1title: New Connection Initiated To Potential Dead Drop Resolver Domain
2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
3related:
4 - id: d7b09985-95a3-44be-8450-b6eadf49833e
5 type: obsolete
6status: test
7description: |
8 Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
9 In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
10references:
11 - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
12 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
13 - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
14 - https://github.com/kleiton0x00/RedditC2
15 - https://twitter.com/kleiton0x7e/status/1600567316810551296
16 - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
17author: Sorina Ionescu, X__Junior (Nextron Systems)
18date: 2022-08-17
19modified: 2024-08-22
20tags:
21 - attack.command-and-control
22 - attack.t1102
23 - attack.t1102.001
24logsource:
25 category: network_connection
26 product: windows
27detection:
28 selection:
29 Initiated: 'true'
30 DestinationHostname|endswith:
31 - '.t.me'
32 - '4shared.com'
33 - 'abuse.ch'
34 - 'anonfiles.com'
35 - 'cdn.discordapp.com'
36 - 'cloudflare.com'
37 - 'ddns.net'
38 - 'discord.com'
39 - 'docs.google.com'
40 - 'drive.google.com'
41 - 'dropbox.com'
42 - 'dropmefiles.com'
43 - 'facebook.com'
44 - 'feeds.rapidfeeds.com'
45 - 'fotolog.com'
46 - 'ghostbin.co/'
47 - 'githubusercontent.com'
48 - 'gofile.io'
49 - 'hastebin.com'
50 - 'imgur.com'
51 - 'livejournal.com'
52 - 'mediafire.com'
53 - 'mega.co.nz'
54 - 'mega.nz'
55 - 'onedrive.com'
56 - 'pages.dev'
57 - 'paste.ee'
58 - 'pastebin.com'
59 - 'pastebin.pl'
60 - 'pastetext.net'
61 - 'privatlab.com'
62 - 'privatlab.net'
63 - 'reddit.com'
64 - 'send.exploit.in'
65 - 'sendspace.com'
66 - 'steamcommunity.com'
67 - 'storage.googleapis.com'
68 - 'technet.microsoft.com'
69 - 'temp.sh'
70 - 'transfer.sh'
71 - 'trycloudflare.com'
72 - 'twitter.com'
73 - 'ufile.io'
74 - 'vimeo.com'
75 - 'w3spaces.com'
76 - 'wetransfer.com'
77 - 'workers.dev'
78 - 'youtube.com'
79 # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
80 # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
81 filter_main_chrome:
82 Image:
83 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
84 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
85 filter_main_chrome_appdata:
86 Image|startswith: 'C:\Users\'
87 Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
88 filter_main_firefox:
89 Image:
90 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
91 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
92 filter_main_firefox_appdata:
93 Image|startswith: 'C:\Users\'
94 Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
95 filter_main_ie:
96 Image:
97 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
98 - 'C:\Program Files\Internet Explorer\iexplore.exe'
99 filter_main_edge_1:
100 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
101 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
102 - Image:
103 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
104 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
105 filter_main_edge_2:
106 Image|startswith:
107 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
108 - 'C:\Program Files\Microsoft\EdgeCore\'
109 Image|endswith:
110 - '\msedge.exe'
111 - '\msedgewebview2.exe'
112 filter_main_safari:
113 Image|contains:
114 - 'C:\Program Files (x86)\Safari\'
115 - 'C:\Program Files\Safari\'
116 Image|endswith: '\safari.exe'
117 filter_main_defender:
118 Image|contains:
119 - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
120 - 'C:\Program Files\Windows Defender\'
121 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
122 Image|endswith:
123 - '\MsMpEng.exe' # Microsoft Defender executable
124 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
125 filter_main_prtg:
126 # Paessler's PRTG Network Monitor
127 Image|endswith:
128 - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
129 - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
130 filter_main_brave:
131 Image|startswith: 'C:\Program Files\BraveSoftware\'
132 Image|endswith: '\brave.exe'
133 filter_main_maxthon:
134 Image|contains: '\AppData\Local\Maxthon\'
135 Image|endswith: '\maxthon.exe'
136 filter_main_opera:
137 Image|contains: '\AppData\Local\Programs\Opera\'
138 Image|endswith: '\opera.exe'
139 filter_main_seamonkey:
140 Image|startswith:
141 - 'C:\Program Files\SeaMonkey\'
142 - 'C:\Program Files (x86)\SeaMonkey\'
143 Image|endswith: '\seamonkey.exe'
144 filter_main_vivaldi:
145 Image|contains: '\AppData\Local\Vivaldi\'
146 Image|endswith: '\vivaldi.exe'
147 filter_main_whale:
148 Image|startswith:
149 - 'C:\Program Files\Naver\Naver Whale\'
150 - 'C:\Program Files (x86)\Naver\Naver Whale\'
151 Image|endswith: '\whale.exe'
152 # Note: The TOR browser shouldn't be something you allow in your corporate network.
153 # filter_main_tor:
154 # Image|contains: '\Tor Browser\'
155 filter_main_whaterfox:
156 Image|startswith:
157 - 'C:\Program Files\Waterfox\'
158 - 'C:\Program Files (x86)\Waterfox\'
159 Image|endswith: '\Waterfox.exe'
160 filter_main_midori:
161 Image|contains: '\AppData\Local\Programs\midori-ng\'
162 Image|endswith: '\Midori Next Generation.exe'
163 filter_main_slimbrowser:
164 Image|startswith:
165 - 'C:\Program Files\SlimBrowser\'
166 - 'C:\Program Files (x86)\SlimBrowser\'
167 Image|endswith: '\slimbrowser.exe'
168 filter_main_flock:
169 Image|contains: '\AppData\Local\Flock\'
170 Image|endswith: '\Flock.exe'
171 filter_main_phoebe:
172 Image|contains: '\AppData\Local\Phoebe\'
173 Image|endswith: '\Phoebe.exe'
174 filter_main_falkon:
175 Image|startswith:
176 - 'C:\Program Files\Falkon\'
177 - 'C:\Program Files (x86)\Falkon\'
178 Image|endswith: '\falkon.exe'
179 filter_main_qtweb:
180 Image|startswith:
181 - 'C:\Program Files (x86)\QtWeb\'
182 - 'C:\Program Files\QtWeb\'
183 Image|endswith: '\QtWeb.exe'
184 filter_main_avant:
185 Image|startswith:
186 - 'C:\Program Files (x86)\Avant Browser\'
187 - 'C:\Program Files\Avant Browser\'
188 Image|endswith: '\avant.exe'
189 filter_main_whatsapp:
190 Image|startswith:
191 - 'C:\Program Files (x86)\WindowsApps\'
192 - 'C:\Program Files\WindowsApps\'
193 Image|endswith: '\WhatsApp.exe'
194 DestinationHostname|endswith: 'facebook.com'
195 filter_main_telegram:
196 Image|contains: '\AppData\Roaming\Telegram Desktop\'
197 Image|endswith: '\Telegram.exe'
198 DestinationHostname|endswith: '.t.me'
199 filter_main_onedrive:
200 Image|contains: '\AppData\Local\Microsoft\OneDrive\'
201 Image|endswith: '\OneDrive.exe'
202 DestinationHostname|endswith: 'onedrive.com'
203 filter_main_dropbox:
204 Image|startswith:
205 - 'C:\Program Files (x86)\Dropbox\Client\'
206 - 'C:\Program Files\Dropbox\Client\'
207 Image|endswith:
208 - '\Dropbox.exe'
209 - '\DropboxInstaller.exe'
210 DestinationHostname|endswith: 'dropbox.com'
211 filter_main_mega:
212 Image|endswith:
213 # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
214 # In practice please apply exact path to avoid basic path bypass techniques.
215 - '\MEGAsync.exe'
216 - '\MEGAsyncSetup32_*RC.exe' # Beta versions
217 - '\MEGAsyncSetup32.exe' # Installers 32bit
218 - '\MEGAsyncSetup64.exe' # Installers 64bit
219 - '\MEGAupdater.exe'
220 DestinationHostname|endswith:
221 - 'mega.co.nz'
222 - 'mega.nz'
223 filter_main_googledrive:
224 Image|contains:
225 - 'C:\Program Files\Google\Drive File Stream\'
226 - 'C:\Program Files (x86)\Google\Drive File Stream\'
227 Image|endswith: 'GoogleDriveFS.exe'
228 DestinationHostname|endswith: 'drive.google.com'
229 filter_main_discord:
230 Image|contains: '\AppData\Local\Discord\'
231 Image|endswith: '\Discord.exe'
232 DestinationHostname|endswith:
233 - 'discord.com'
234 - 'cdn.discordapp.com'
235 filter_main_null:
236 Image: null
237 filter_main_empty:
238 Image: ''
239 # filter_optional_qlik:
240 # Image|endswith: '\Engine.exe' # Process from qlik.com app
241 condition: selection and not 1 of filter_main_*
242falsepositives:
243 - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
244 - Ninite contacting githubusercontent.com
245level: high
References
Related rules
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux