Potential Dead Drop Resolvers
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Sigma rule (View on GitHub)
1title: Potential Dead Drop Resolvers
2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
3related:
4 - id: d7b09985-95a3-44be-8450-b6eadf49833e
5 type: obsoletes
6status: test
7description: |
8 Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
9 In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
10references:
11 - https://content.fireeye.com/apt-41/rpt-apt41
12 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
13 - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
14 - https://github.com/kleiton0x00/RedditC2
15 - https://twitter.com/kleiton0x7e/status/1600567316810551296
16 - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
17author: Sorina Ionescu, X__Junior (Nextron Systems)
18date: 2022/08/17
19modified: 2024/02/06
20tags:
21 - attack.command_and_control
22 - attack.t1102
23 - attack.t1102.001
24logsource:
25 category: network_connection
26 product: windows
27detection:
28 selection:
29 Initiated: 'true'
30 DestinationHostname|endswith:
31 - '.t.me'
32 - '4shared.com'
33 - 'anonfiles.com'
34 - 'cdn.discordapp.com'
35 - 'cloudflare.com'
36 - 'ddns.net'
37 - 'discord.com'
38 - 'docs.google.com'
39 - 'drive.google.com'
40 - 'dropbox.com'
41 - 'dropmefiles.com'
42 - 'facebook.com'
43 - 'feeds.rapidfeeds.com'
44 - 'fotolog.com'
45 - 'ghostbin.co/'
46 - 'githubusercontent.com'
47 - 'gofile.io'
48 - 'hastebin.com'
49 - 'imgur.com'
50 - 'livejournal.com'
51 - 'mediafire.com'
52 - 'mega.co.nz'
53 - 'mega.nz'
54 - 'onedrive.com'
55 - 'paste.ee'
56 - 'pastebin.com'
57 - 'pastebin.pl'
58 - 'pastetext.net'
59 - 'privatlab.com'
60 - 'privatlab.net'
61 - 'reddit.com'
62 - 'send.exploit.in'
63 - 'sendspace.com'
64 - 'steamcommunity.com'
65 - 'storage.googleapis.com'
66 - 'technet.microsoft.com'
67 - 'temp.sh'
68 - 'transfer.sh'
69 - 'twitter.com'
70 - 'ufile.io'
71 - 'abuse.ch'
72 - 'vimeo.com'
73 - 'wetransfer.com'
74 - 'youtube.com'
75 # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
76 # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
77 filter_main_chrome:
78 Image:
79 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
80 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
81 filter_main_chrome_appdata:
82 Image|startswith: 'C:\Users\'
83 Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
84 filter_main_firefox:
85 Image:
86 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
87 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
88 filter_main_firefox_appdata:
89 Image|startswith: 'C:\Users\'
90 Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
91 filter_main_ie:
92 Image:
93 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
94 - 'C:\Program Files\Internet Explorer\iexplore.exe'
95 filter_main_edge_1:
96 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
97 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
98 - Image:
99 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
100 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
101 filter_main_edge_2:
102 Image|startswith:
103 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
104 - 'C:\Program Files\Microsoft\EdgeCore\'
105 Image|endswith:
106 - '\msedge.exe'
107 - '\msedgewebview2.exe'
108 filter_main_safari:
109 Image|contains:
110 - 'C:\Program Files (x86)\Safari\'
111 - 'C:\Program Files\Safari\'
112 Image|endswith: '\safari.exe'
113 filter_main_defender:
114 Image|contains:
115 - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
116 - 'C:\Program Files\Windows Defender\'
117 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
118 Image|endswith:
119 - '\MsMpEng.exe' # Microsoft Defender executable
120 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
121 filter_main_prtg:
122 # Paessler's PRTG Network Monitor
123 Image|endswith:
124 - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
125 - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
126 filter_main_brave:
127 Image|startswith: 'C:\Program Files\BraveSoftware\'
128 Image|endswith: '\brave.exe'
129 filter_main_maxthon:
130 Image|contains: '\AppData\Local\Maxthon\'
131 Image|endswith: '\maxthon.exe'
132 filter_main_opera:
133 Image|contains: '\AppData\Local\Programs\Opera\'
134 Image|endswith: '\opera.exe'
135 filter_main_seamonkey:
136 Image|startswith:
137 - 'C:\Program Files\SeaMonkey\'
138 - 'C:\Program Files (x86)\SeaMonkey\'
139 Image|endswith: '\seamonkey.exe'
140 filter_main_vivaldi:
141 Image|contains: '\AppData\Local\Vivaldi\'
142 Image|endswith: '\vivaldi.exe'
143 filter_main_whale:
144 Image|startswith:
145 - 'C:\Program Files\Naver\Naver Whale\'
146 - 'C:\Program Files (x86)\Naver\Naver Whale\'
147 Image|endswith: '\whale.exe'
148 # Note: The TOR browser shouldn't be something you allow in your corporate network.
149 # filter_main_tor:
150 # Image|contains: '\Tor Browser\'
151 filter_main_whaterfox:
152 Image|startswith:
153 - 'C:\Program Files\Waterfox\'
154 - 'C:\Program Files (x86)\Waterfox\'
155 Image|endswith: '\Waterfox.exe'
156 filter_main_midori:
157 Image|contains: '\AppData\Local\Programs\midori-ng\'
158 Image|endswith: '\Midori Next Generation.exe'
159 filter_main_slimbrowser:
160 Image|startswith:
161 - 'C:\Program Files\SlimBrowser\'
162 - 'C:\Program Files (x86)\SlimBrowser\'
163 Image|endswith: '\slimbrowser.exe'
164 filter_main_flock:
165 Image|contains: '\AppData\Local\Flock\'
166 Image|endswith: '\Flock.exe'
167 filter_main_phoebe:
168 Image|contains: '\AppData\Local\Phoebe\'
169 Image|endswith: '\Phoebe.exe'
170 filter_main_falkon:
171 Image|startswith:
172 - 'C:\Program Files\Falkon\'
173 - 'C:\Program Files (x86)\Falkon\'
174 Image|endswith: '\falkon.exe'
175 filter_main_qtweb:
176 Image|startswith:
177 - 'C:\Program Files (x86)\QtWeb\'
178 - 'C:\Program Files\QtWeb\'
179 Image|endswith: '\QtWeb.exe'
180 filter_main_avant:
181 Image|startswith:
182 - 'C:\Program Files (x86)\Avant Browser\'
183 - 'C:\Program Files\Avant Browser\'
184 Image|endswith: '\avant.exe'
185 filter_main_whatsapp:
186 Image|startswith:
187 - 'C:\Program Files (x86)\WindowsApps\'
188 - 'C:\Program Files\WindowsApps\'
189 Image|endswith: '\WhatsApp.exe'
190 DestinationHostname|endswith: 'facebook.com'
191 filter_main_telegram:
192 Image|contains: '\AppData\Roaming\Telegram Desktop\'
193 Image|endswith: '\Telegram.exe'
194 DestinationHostname|endswith: '.t.me'
195 filter_main_onedrive:
196 Image|contains: '\AppData\Local\Microsoft\OneDrive\'
197 Image|endswith: '\OneDrive.exe'
198 DestinationHostname|endswith: 'onedrive.com'
199 filter_main_dropbox:
200 Image|startswith:
201 - 'C:\Program Files (x86)\Dropbox\Client\'
202 - 'C:\Program Files\Dropbox\Client\'
203 Image|endswith:
204 - '\Dropbox.exe'
205 - '\DropboxInstaller.exe'
206 DestinationHostname|endswith: 'dropbox.com'
207 filter_main_mega:
208 Image|endswith:
209 # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
210 # In practice please apply exact path to avoid basic path bypass techniques.
211 - '\MEGAsync.exe'
212 - '\MEGAsyncSetup32_*RC.exe' # Beta versions
213 - '\MEGAsyncSetup32.exe' # Installers 32bit
214 - '\MEGAsyncSetup64.exe' # Installers 64bit
215 - '\MEGAupdater.exe'
216 DestinationHostname|endswith:
217 - 'mega.co.nz'
218 - 'mega.nz'
219 filter_main_googledrive:
220 Image|contains:
221 - 'C:\Program Files\Google\Drive File Stream\'
222 - 'C:\Program Files (x86)\Google\Drive File Stream\'
223 Image|endswith: 'GoogleDriveFS.exe'
224 DestinationHostname|endswith: 'drive.google.com'
225 filter_main_discord:
226 Image|contains: '\AppData\Local\Discord\'
227 Image|endswith: '\Discord.exe'
228 DestinationHostname|endswith:
229 - 'discord.com'
230 - 'cdn.discordapp.com'
231 # filter_optional_qlik:
232 # Image|endswith: '\Engine.exe' # Process from qlik.com app
233 condition: selection and not 1 of filter_main_*
234falsepositives:
235 - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
236 - Ninite contacting githubusercontent.com
237level: high
References
Related rules
- Communication To Ngrok Tunneling Service Initiated
- Suspicious Non-Browser Network Communication With Google API
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To Ngrok Tunneling Service - Linux