New Connection Initiated To Potential Dead Drop Resolver Domain
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Sigma rule (View on GitHub)
1title: New Connection Initiated To Potential Dead Drop Resolver Domain
2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
3related:
4 - id: d7b09985-95a3-44be-8450-b6eadf49833e
5 type: obsolete
6 - id: 8b48ad89-10d8-4382-a546-50588c410f0d
7 type: similar
8 - id: d635249d-86b5-4dad-a8c7-d7272b788586
9 type: similar
10 - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
11 type: similar
12 - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
13 type: similar
14 - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
15 type: similar
16 - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
17 type: similar
18 - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
19 type: similar
20 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
21 type: similar
22 - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
23 type: similar
24 - id: b6e04788-29e1-4557-bb14-77f761848ab8
25 type: similar
26 - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
27 type: similar
28status: test
29description: |
30 Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
31 In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
32references:
33 - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
34 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
35 - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
36 - https://github.com/kleiton0x00/RedditC2
37 - https://twitter.com/kleiton0x7e/status/1600567316810551296
38 - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
39author: Sorina Ionescu, X__Junior (Nextron Systems)
40date: 2022-08-17
41modified: 2026-03-29
42tags:
43 - attack.command-and-control
44 - attack.t1102
45 - attack.t1102.001
46logsource:
47 category: network_connection
48 product: windows
49detection:
50 selection:
51 Initiated: 'true'
52 DestinationHostname|endswith:
53 - '.t.me'
54 - '0x0.st'
55 - '4shared.com'
56 - 'abuse.ch'
57 - 'anonfiles.com'
58 - 'bashupload.com'
59 - 'cdn.discordapp.com'
60 - 'chunk.io'
61 - 'cloudflare.com'
62 - 'ddns.net'
63 - 'discord.com'
64 - 'docs.google.com'
65 - 'drive.google.com'
66 - 'dropbox.com'
67 - 'dropmefiles.com'
68 - 'facebook.com'
69 - 'feeds.rapidfeeds.com'
70 - 'fotolog.com'
71 - 'ghostbin.co/'
72 - 'githubusercontent.com'
73 - 'gofile.io'
74 - 'hastebin.com'
75 - 'imgur.com'
76 - 'livejournal.com'
77 - 'mediafire.com'
78 - 'mega.co.nz'
79 - 'mega.nz'
80 - 'onedrive.com'
81 - 'pages.dev'
82 - 'paste.ee'
83 - 'pastebin.com'
84 - 'pastebin.pl'
85 - 'pastetext.net'
86 - 'pixeldrain.com'
87 - 'privatlab.com'
88 - 'privatlab.net'
89 - 'reddit.com'
90 - 'send.exploit.in'
91 - 'sendspace.com'
92 - 'steamcommunity.com'
93 - 'storage.googleapis.com'
94 - 'technet.microsoft.com'
95 - 'temp.sh'
96 - 'transfer.sh'
97 - 'trycloudflare.com'
98 - 'twitter.com'
99 - 'ufile.io'
100 - 'vimeo.com'
101 - 'w3spaces.com'
102 - 'wetransfer.com'
103 - 'workers.dev'
104 - 'x0.at'
105 - 'youtube.com'
106 # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
107 # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
108 filter_main_chrome:
109 Image:
110 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
111 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
112 filter_main_chrome_appdata:
113 Image|startswith: 'C:\Users\'
114 Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
115 filter_main_firefox:
116 Image:
117 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
118 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
119 filter_main_firefox_appdata:
120 Image|startswith: 'C:\Users\'
121 Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
122 filter_main_ie:
123 Image:
124 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
125 - 'C:\Program Files\Internet Explorer\iexplore.exe'
126 filter_main_edge_1:
127 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
128 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
129 - Image:
130 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
131 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
132 filter_main_edge_2:
133 Image|startswith:
134 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
135 - 'C:\Program Files\Microsoft\EdgeCore\'
136 Image|endswith:
137 - '\msedge.exe'
138 - '\msedgewebview2.exe'
139 filter_main_safari:
140 Image|contains:
141 - 'C:\Program Files (x86)\Safari\'
142 - 'C:\Program Files\Safari\'
143 Image|endswith: '\safari.exe'
144 filter_main_defender:
145 Image|contains:
146 - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
147 - 'C:\Program Files\Windows Defender\'
148 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
149 Image|endswith:
150 - '\MsMpEng.exe' # Microsoft Defender executable
151 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
152 filter_main_prtg:
153 # Paessler's PRTG Network Monitor
154 Image|endswith:
155 - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
156 - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
157 filter_main_brave:
158 Image|startswith: 'C:\Program Files\BraveSoftware\'
159 Image|endswith: '\brave.exe'
160 filter_main_maxthon:
161 Image|contains: '\AppData\Local\Maxthon\'
162 Image|endswith: '\maxthon.exe'
163 filter_main_opera:
164 Image|contains: '\AppData\Local\Programs\Opera\'
165 Image|endswith: '\opera.exe'
166 filter_main_seamonkey:
167 Image|startswith:
168 - 'C:\Program Files\SeaMonkey\'
169 - 'C:\Program Files (x86)\SeaMonkey\'
170 Image|endswith: '\seamonkey.exe'
171 filter_main_vivaldi:
172 Image|contains: '\AppData\Local\Vivaldi\'
173 Image|endswith: '\vivaldi.exe'
174 filter_main_whale:
175 Image|startswith:
176 - 'C:\Program Files\Naver\Naver Whale\'
177 - 'C:\Program Files (x86)\Naver\Naver Whale\'
178 Image|endswith: '\whale.exe'
179 # Note: The TOR browser shouldn't be something you allow in your corporate network.
180 # filter_main_tor:
181 # Image|contains: '\Tor Browser\'
182 filter_main_whaterfox:
183 Image|startswith:
184 - 'C:\Program Files\Waterfox\'
185 - 'C:\Program Files (x86)\Waterfox\'
186 Image|endswith: '\Waterfox.exe'
187 filter_main_midori:
188 Image|contains: '\AppData\Local\Programs\midori-ng\'
189 Image|endswith: '\Midori Next Generation.exe'
190 filter_main_slimbrowser:
191 Image|startswith:
192 - 'C:\Program Files\SlimBrowser\'
193 - 'C:\Program Files (x86)\SlimBrowser\'
194 Image|endswith: '\slimbrowser.exe'
195 filter_main_flock:
196 Image|contains: '\AppData\Local\Flock\'
197 Image|endswith: '\Flock.exe'
198 filter_main_phoebe:
199 Image|contains: '\AppData\Local\Phoebe\'
200 Image|endswith: '\Phoebe.exe'
201 filter_main_falkon:
202 Image|startswith:
203 - 'C:\Program Files\Falkon\'
204 - 'C:\Program Files (x86)\Falkon\'
205 Image|endswith: '\falkon.exe'
206 filter_main_qtweb:
207 Image|startswith:
208 - 'C:\Program Files (x86)\QtWeb\'
209 - 'C:\Program Files\QtWeb\'
210 Image|endswith: '\QtWeb.exe'
211 filter_main_avant:
212 Image|startswith:
213 - 'C:\Program Files (x86)\Avant Browser\'
214 - 'C:\Program Files\Avant Browser\'
215 Image|endswith: '\avant.exe'
216 filter_main_whatsapp:
217 Image|startswith:
218 - 'C:\Program Files (x86)\WindowsApps\'
219 - 'C:\Program Files\WindowsApps\'
220 Image|endswith: '\WhatsApp.exe'
221 DestinationHostname|endswith: 'facebook.com'
222 filter_main_telegram:
223 Image|contains: '\AppData\Roaming\Telegram Desktop\'
224 Image|endswith: '\Telegram.exe'
225 DestinationHostname|endswith: '.t.me'
226 filter_main_onedrive:
227 Image|contains: '\AppData\Local\Microsoft\OneDrive\'
228 Image|endswith: '\OneDrive.exe'
229 DestinationHostname|endswith: 'onedrive.com'
230 filter_main_dropbox:
231 Image|startswith:
232 - 'C:\Program Files (x86)\Dropbox\Client\'
233 - 'C:\Program Files\Dropbox\Client\'
234 Image|endswith:
235 - '\Dropbox.exe'
236 - '\DropboxInstaller.exe'
237 DestinationHostname|endswith: 'dropbox.com'
238 filter_main_mega:
239 Image|endswith:
240 # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
241 # In practice please apply exact path to avoid basic path bypass techniques.
242 - '\MEGAsync.exe'
243 - '\MEGAsyncSetup32_*RC.exe' # Beta versions
244 - '\MEGAsyncSetup32.exe' # Installers 32bit
245 - '\MEGAsyncSetup64.exe' # Installers 64bit
246 - '\MEGAupdater.exe'
247 DestinationHostname|endswith:
248 - 'mega.co.nz'
249 - 'mega.nz'
250 filter_main_googledrive:
251 Image|contains:
252 - 'C:\Program Files\Google\Drive File Stream\'
253 - 'C:\Program Files (x86)\Google\Drive File Stream\'
254 Image|endswith: 'GoogleDriveFS.exe'
255 DestinationHostname|endswith: 'drive.google.com'
256 filter_main_discord:
257 Image|contains: '\AppData\Local\Discord\'
258 Image|endswith: '\Discord.exe'
259 DestinationHostname|endswith:
260 - 'discord.com'
261 - 'cdn.discordapp.com'
262 filter_main_null:
263 Image: null
264 filter_main_empty:
265 Image: ''
266 # filter_optional_qlik:
267 # Image|endswith: '\Engine.exe' # Process from qlik.com app
268 condition: selection and not 1 of filter_main_*
269falsepositives:
270 - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
271 - Ninite contacting githubusercontent.com
272level: high
References
Related rules
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Raw Paste Service Access
- PwnDrp Access
- Process Initiated Network Connection To Ngrok Domain
- Suspicious Non-Browser Network Communication With Telegram API