New Connection Initiated To Potential Dead Drop Resolver Domain

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Sigma rule (View on GitHub)

  1title: New Connection Initiated To Potential Dead Drop Resolver Domain
  2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
  3related:
  4    - id: d7b09985-95a3-44be-8450-b6eadf49833e
  5      type: obsolete
  6    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
  7      type: similar
  8    - id: d635249d-86b5-4dad-a8c7-d7272b788586
  9      type: similar
 10    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
 11      type: similar
 12    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 13      type: similar
 14    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 15      type: similar
 16    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 17      type: similar
 18    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 19      type: similar
 20    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
 21      type: similar
 22    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 23      type: similar
 24    - id: b6e04788-29e1-4557-bb14-77f761848ab8
 25      type: similar
 26    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
 27      type: similar
 28status: test
 29description: |
 30    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
 31    In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.    
 32references:
 33    - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
 34    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
 35    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
 36    - https://github.com/kleiton0x00/RedditC2
 37    - https://twitter.com/kleiton0x7e/status/1600567316810551296
 38    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 39author: Sorina Ionescu, X__Junior (Nextron Systems)
 40date: 2022-08-17
 41modified: 2026-03-29
 42tags:
 43    - attack.command-and-control
 44    - attack.t1102
 45    - attack.t1102.001
 46logsource:
 47    category: network_connection
 48    product: windows
 49detection:
 50    selection:
 51        Initiated: 'true'
 52        DestinationHostname|endswith:
 53            - '.t.me'
 54            - '0x0.st'
 55            - '4shared.com'
 56            - 'abuse.ch'
 57            - 'anonfiles.com'
 58            - 'bashupload.com'
 59            - 'cdn.discordapp.com'
 60            - 'chunk.io'
 61            - 'cloudflare.com'
 62            - 'ddns.net'
 63            - 'discord.com'
 64            - 'docs.google.com'
 65            - 'drive.google.com'
 66            - 'dropbox.com'
 67            - 'dropmefiles.com'
 68            - 'facebook.com'
 69            - 'feeds.rapidfeeds.com'
 70            - 'fotolog.com'
 71            - 'ghostbin.co/'
 72            - 'githubusercontent.com'
 73            - 'gofile.io'
 74            - 'hastebin.com'
 75            - 'imgur.com'
 76            - 'livejournal.com'
 77            - 'mediafire.com'
 78            - 'mega.co.nz'
 79            - 'mega.nz'
 80            - 'onedrive.com'
 81            - 'pages.dev'
 82            - 'paste.ee'
 83            - 'pastebin.com'
 84            - 'pastebin.pl'
 85            - 'pastetext.net'
 86            - 'pixeldrain.com'
 87            - 'privatlab.com'
 88            - 'privatlab.net'
 89            - 'reddit.com'
 90            - 'send.exploit.in'
 91            - 'sendspace.com'
 92            - 'steamcommunity.com'
 93            - 'storage.googleapis.com'
 94            - 'technet.microsoft.com'
 95            - 'temp.sh'
 96            - 'transfer.sh'
 97            - 'trycloudflare.com'
 98            - 'twitter.com'
 99            - 'ufile.io'
100            - 'vimeo.com'
101            - 'w3spaces.com'
102            - 'wetransfer.com'
103            - 'workers.dev'
104            - 'x0.at'
105            - 'youtube.com'
106    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
107    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
108    filter_main_chrome:
109        Image:
110            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
111            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
112    filter_main_chrome_appdata:
113        Image|startswith: 'C:\Users\'
114        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
115    filter_main_firefox:
116        Image:
117            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
118            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
119    filter_main_firefox_appdata:
120        Image|startswith: 'C:\Users\'
121        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
122    filter_main_ie:
123        Image:
124            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
125            - 'C:\Program Files\Internet Explorer\iexplore.exe'
126    filter_main_edge_1:
127        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
128        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
129        - Image:
130              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
131              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
132    filter_main_edge_2:
133        Image|startswith:
134            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
135            - 'C:\Program Files\Microsoft\EdgeCore\'
136        Image|endswith:
137            - '\msedge.exe'
138            - '\msedgewebview2.exe'
139    filter_main_safari:
140        Image|contains:
141            - 'C:\Program Files (x86)\Safari\'
142            - 'C:\Program Files\Safari\'
143        Image|endswith: '\safari.exe'
144    filter_main_defender:
145        Image|contains:
146            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
147            - 'C:\Program Files\Windows Defender\'
148            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
149        Image|endswith:
150            - '\MsMpEng.exe' # Microsoft Defender executable
151            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
152    filter_main_prtg:
153        # Paessler's PRTG Network Monitor
154        Image|endswith:
155            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
156            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
157    filter_main_brave:
158        Image|startswith: 'C:\Program Files\BraveSoftware\'
159        Image|endswith: '\brave.exe'
160    filter_main_maxthon:
161        Image|contains: '\AppData\Local\Maxthon\'
162        Image|endswith: '\maxthon.exe'
163    filter_main_opera:
164        Image|contains: '\AppData\Local\Programs\Opera\'
165        Image|endswith: '\opera.exe'
166    filter_main_seamonkey:
167        Image|startswith:
168            - 'C:\Program Files\SeaMonkey\'
169            - 'C:\Program Files (x86)\SeaMonkey\'
170        Image|endswith: '\seamonkey.exe'
171    filter_main_vivaldi:
172        Image|contains: '\AppData\Local\Vivaldi\'
173        Image|endswith: '\vivaldi.exe'
174    filter_main_whale:
175        Image|startswith:
176            - 'C:\Program Files\Naver\Naver Whale\'
177            - 'C:\Program Files (x86)\Naver\Naver Whale\'
178        Image|endswith: '\whale.exe'
179    # Note: The TOR browser shouldn't be something you allow in your corporate network.
180    # filter_main_tor:
181    #     Image|contains: '\Tor Browser\'
182    filter_main_whaterfox:
183        Image|startswith:
184            - 'C:\Program Files\Waterfox\'
185            - 'C:\Program Files (x86)\Waterfox\'
186        Image|endswith: '\Waterfox.exe'
187    filter_main_midori:
188        Image|contains: '\AppData\Local\Programs\midori-ng\'
189        Image|endswith: '\Midori Next Generation.exe'
190    filter_main_slimbrowser:
191        Image|startswith:
192            - 'C:\Program Files\SlimBrowser\'
193            - 'C:\Program Files (x86)\SlimBrowser\'
194        Image|endswith: '\slimbrowser.exe'
195    filter_main_flock:
196        Image|contains: '\AppData\Local\Flock\'
197        Image|endswith: '\Flock.exe'
198    filter_main_phoebe:
199        Image|contains: '\AppData\Local\Phoebe\'
200        Image|endswith: '\Phoebe.exe'
201    filter_main_falkon:
202        Image|startswith:
203            - 'C:\Program Files\Falkon\'
204            - 'C:\Program Files (x86)\Falkon\'
205        Image|endswith: '\falkon.exe'
206    filter_main_qtweb:
207        Image|startswith:
208            - 'C:\Program Files (x86)\QtWeb\'
209            - 'C:\Program Files\QtWeb\'
210        Image|endswith: '\QtWeb.exe'
211    filter_main_avant:
212        Image|startswith:
213            - 'C:\Program Files (x86)\Avant Browser\'
214            - 'C:\Program Files\Avant Browser\'
215        Image|endswith: '\avant.exe'
216    filter_main_whatsapp:
217        Image|startswith:
218            - 'C:\Program Files (x86)\WindowsApps\'
219            - 'C:\Program Files\WindowsApps\'
220        Image|endswith: '\WhatsApp.exe'
221        DestinationHostname|endswith: 'facebook.com'
222    filter_main_telegram:
223        Image|contains: '\AppData\Roaming\Telegram Desktop\'
224        Image|endswith: '\Telegram.exe'
225        DestinationHostname|endswith: '.t.me'
226    filter_main_onedrive:
227        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
228        Image|endswith: '\OneDrive.exe'
229        DestinationHostname|endswith: 'onedrive.com'
230    filter_main_dropbox:
231        Image|startswith:
232            - 'C:\Program Files (x86)\Dropbox\Client\'
233            - 'C:\Program Files\Dropbox\Client\'
234        Image|endswith:
235            - '\Dropbox.exe'
236            - '\DropboxInstaller.exe'
237        DestinationHostname|endswith: 'dropbox.com'
238    filter_main_mega:
239        Image|endswith:
240            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
241            #       In practice please apply exact path to avoid basic path bypass techniques.
242            - '\MEGAsync.exe'
243            - '\MEGAsyncSetup32_*RC.exe' # Beta versions
244            - '\MEGAsyncSetup32.exe' # Installers 32bit
245            - '\MEGAsyncSetup64.exe' # Installers 64bit
246            - '\MEGAupdater.exe'
247        DestinationHostname|endswith:
248            - 'mega.co.nz'
249            - 'mega.nz'
250    filter_main_googledrive:
251        Image|contains:
252            - 'C:\Program Files\Google\Drive File Stream\'
253            - 'C:\Program Files (x86)\Google\Drive File Stream\'
254        Image|endswith: 'GoogleDriveFS.exe'
255        DestinationHostname|endswith: 'drive.google.com'
256    filter_main_discord:
257        Image|contains: '\AppData\Local\Discord\'
258        Image|endswith: '\Discord.exe'
259        DestinationHostname|endswith:
260            - 'discord.com'
261            - 'cdn.discordapp.com'
262    filter_main_null:
263        Image: null
264    filter_main_empty:
265        Image: ''
266    # filter_optional_qlik:
267    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
268    condition: selection and not 1 of filter_main_*
269falsepositives:
270    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
271    - Ninite contacting githubusercontent.com
272level: high

References

Related rules

to-top