New Connection Initiated To Potential Dead Drop Resolver Domain

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Sigma rule (View on GitHub)

  1title: New Connection Initiated To Potential Dead Drop Resolver Domain
  2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
  3related:
  4    - id: d7b09985-95a3-44be-8450-b6eadf49833e
  5      type: obsolete
  6status: test
  7description: |
  8    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
  9    In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.    
 10references:
 11    - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
 12    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
 13    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
 14    - https://github.com/kleiton0x00/RedditC2
 15    - https://twitter.com/kleiton0x7e/status/1600567316810551296
 16    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 17author: Sorina Ionescu, X__Junior (Nextron Systems)
 18date: 2022-08-17
 19modified: 2024-08-22
 20tags:
 21    - attack.command-and-control
 22    - attack.t1102
 23    - attack.t1102.001
 24logsource:
 25    category: network_connection
 26    product: windows
 27detection:
 28    selection:
 29        Initiated: 'true'
 30        DestinationHostname|endswith:
 31            - '.t.me'
 32            - '4shared.com'
 33            - 'abuse.ch'
 34            - 'anonfiles.com'
 35            - 'cdn.discordapp.com'
 36            - 'cloudflare.com'
 37            - 'ddns.net'
 38            - 'discord.com'
 39            - 'docs.google.com'
 40            - 'drive.google.com'
 41            - 'dropbox.com'
 42            - 'dropmefiles.com'
 43            - 'facebook.com'
 44            - 'feeds.rapidfeeds.com'
 45            - 'fotolog.com'
 46            - 'ghostbin.co/'
 47            - 'githubusercontent.com'
 48            - 'gofile.io'
 49            - 'hastebin.com'
 50            - 'imgur.com'
 51            - 'livejournal.com'
 52            - 'mediafire.com'
 53            - 'mega.co.nz'
 54            - 'mega.nz'
 55            - 'onedrive.com'
 56            - 'pages.dev'
 57            - 'paste.ee'
 58            - 'pastebin.com'
 59            - 'pastebin.pl'
 60            - 'pastetext.net'
 61            - 'privatlab.com'
 62            - 'privatlab.net'
 63            - 'reddit.com'
 64            - 'send.exploit.in'
 65            - 'sendspace.com'
 66            - 'steamcommunity.com'
 67            - 'storage.googleapis.com'
 68            - 'technet.microsoft.com'
 69            - 'temp.sh'
 70            - 'transfer.sh'
 71            - 'trycloudflare.com'
 72            - 'twitter.com'
 73            - 'ufile.io'
 74            - 'vimeo.com'
 75            - 'w3spaces.com'
 76            - 'wetransfer.com'
 77            - 'workers.dev'
 78            - 'youtube.com'
 79    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
 80    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
 81    filter_main_chrome:
 82        Image:
 83            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 84            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 85    filter_main_chrome_appdata:
 86        Image|startswith: 'C:\Users\'
 87        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
 88    filter_main_firefox:
 89        Image:
 90            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 91            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 92    filter_main_firefox_appdata:
 93        Image|startswith: 'C:\Users\'
 94        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
 95    filter_main_ie:
 96        Image:
 97            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 98            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 99    filter_main_edge_1:
100        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
101        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
102        - Image:
103              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
104              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
105    filter_main_edge_2:
106        Image|startswith:
107            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
108            - 'C:\Program Files\Microsoft\EdgeCore\'
109        Image|endswith:
110            - '\msedge.exe'
111            - '\msedgewebview2.exe'
112    filter_main_safari:
113        Image|contains:
114            - 'C:\Program Files (x86)\Safari\'
115            - 'C:\Program Files\Safari\'
116        Image|endswith: '\safari.exe'
117    filter_main_defender:
118        Image|contains:
119            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
120            - 'C:\Program Files\Windows Defender\'
121            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
122        Image|endswith:
123            - '\MsMpEng.exe' # Microsoft Defender executable
124            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
125    filter_main_prtg:
126        # Paessler's PRTG Network Monitor
127        Image|endswith:
128            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
129            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
130    filter_main_brave:
131        Image|startswith: 'C:\Program Files\BraveSoftware\'
132        Image|endswith: '\brave.exe'
133    filter_main_maxthon:
134        Image|contains: '\AppData\Local\Maxthon\'
135        Image|endswith: '\maxthon.exe'
136    filter_main_opera:
137        Image|contains: '\AppData\Local\Programs\Opera\'
138        Image|endswith: '\opera.exe'
139    filter_main_seamonkey:
140        Image|startswith:
141            - 'C:\Program Files\SeaMonkey\'
142            - 'C:\Program Files (x86)\SeaMonkey\'
143        Image|endswith: '\seamonkey.exe'
144    filter_main_vivaldi:
145        Image|contains: '\AppData\Local\Vivaldi\'
146        Image|endswith: '\vivaldi.exe'
147    filter_main_whale:
148        Image|startswith:
149            - 'C:\Program Files\Naver\Naver Whale\'
150            - 'C:\Program Files (x86)\Naver\Naver Whale\'
151        Image|endswith: '\whale.exe'
152    # Note: The TOR browser shouldn't be something you allow in your corporate network.
153    # filter_main_tor:
154    #     Image|contains: '\Tor Browser\'
155    filter_main_whaterfox:
156        Image|startswith:
157            - 'C:\Program Files\Waterfox\'
158            - 'C:\Program Files (x86)\Waterfox\'
159        Image|endswith: '\Waterfox.exe'
160    filter_main_midori:
161        Image|contains: '\AppData\Local\Programs\midori-ng\'
162        Image|endswith: '\Midori Next Generation.exe'
163    filter_main_slimbrowser:
164        Image|startswith:
165            - 'C:\Program Files\SlimBrowser\'
166            - 'C:\Program Files (x86)\SlimBrowser\'
167        Image|endswith: '\slimbrowser.exe'
168    filter_main_flock:
169        Image|contains: '\AppData\Local\Flock\'
170        Image|endswith: '\Flock.exe'
171    filter_main_phoebe:
172        Image|contains: '\AppData\Local\Phoebe\'
173        Image|endswith: '\Phoebe.exe'
174    filter_main_falkon:
175        Image|startswith:
176            - 'C:\Program Files\Falkon\'
177            - 'C:\Program Files (x86)\Falkon\'
178        Image|endswith: '\falkon.exe'
179    filter_main_qtweb:
180        Image|startswith:
181            - 'C:\Program Files (x86)\QtWeb\'
182            - 'C:\Program Files\QtWeb\'
183        Image|endswith: '\QtWeb.exe'
184    filter_main_avant:
185        Image|startswith:
186            - 'C:\Program Files (x86)\Avant Browser\'
187            - 'C:\Program Files\Avant Browser\'
188        Image|endswith: '\avant.exe'
189    filter_main_whatsapp:
190        Image|startswith:
191            - 'C:\Program Files (x86)\WindowsApps\'
192            - 'C:\Program Files\WindowsApps\'
193        Image|endswith: '\WhatsApp.exe'
194        DestinationHostname|endswith: 'facebook.com'
195    filter_main_telegram:
196        Image|contains: '\AppData\Roaming\Telegram Desktop\'
197        Image|endswith: '\Telegram.exe'
198        DestinationHostname|endswith: '.t.me'
199    filter_main_onedrive:
200        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
201        Image|endswith: '\OneDrive.exe'
202        DestinationHostname|endswith: 'onedrive.com'
203    filter_main_dropbox:
204        Image|startswith:
205            - 'C:\Program Files (x86)\Dropbox\Client\'
206            - 'C:\Program Files\Dropbox\Client\'
207        Image|endswith:
208            - '\Dropbox.exe'
209            - '\DropboxInstaller.exe'
210        DestinationHostname|endswith: 'dropbox.com'
211    filter_main_mega:
212        Image|endswith:
213            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
214            #       In practice please apply exact path to avoid basic path bypass techniques.
215            - '\MEGAsync.exe'
216            - '\MEGAsyncSetup32_*RC.exe' # Beta versions
217            - '\MEGAsyncSetup32.exe' # Installers 32bit
218            - '\MEGAsyncSetup64.exe' # Installers 64bit
219            - '\MEGAupdater.exe'
220        DestinationHostname|endswith:
221            - 'mega.co.nz'
222            - 'mega.nz'
223    filter_main_googledrive:
224        Image|contains:
225            - 'C:\Program Files\Google\Drive File Stream\'
226            - 'C:\Program Files (x86)\Google\Drive File Stream\'
227        Image|endswith: 'GoogleDriveFS.exe'
228        DestinationHostname|endswith: 'drive.google.com'
229    filter_main_discord:
230        Image|contains: '\AppData\Local\Discord\'
231        Image|endswith: '\Discord.exe'
232        DestinationHostname|endswith:
233            - 'discord.com'
234            - 'cdn.discordapp.com'
235    filter_main_null:
236        Image: null
237    filter_main_empty:
238        Image: ''
239    # filter_optional_qlik:
240    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
241    condition: selection and not 1 of filter_main_*
242falsepositives:
243    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
244    - Ninite contacting githubusercontent.com
245level: high

References

Related rules

to-top