Potential Dead Drop Resolvers

calendar Feb 12, 2024 · attack.command_and_control attack.t1102 attack.t1102.001  ·
Share on: linkedin copy

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Sigma rule (View on GitHub)

  1title: Potential Dead Drop Resolvers
  2id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
  3related:
  4    - id: d7b09985-95a3-44be-8450-b6eadf49833e
  5      type: obsoletes
  6status: test
  7description: |
  8    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
  9    In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.    
 10references:
 11    - https://content.fireeye.com/apt-41/rpt-apt41
 12    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
 13    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
 14    - https://github.com/kleiton0x00/RedditC2
 15    - https://twitter.com/kleiton0x7e/status/1600567316810551296
 16    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 17author: Sorina Ionescu, X__Junior (Nextron Systems)
 18date: 2022/08/17
 19modified: 2024/02/06
 20tags:
 21    - attack.command_and_control
 22    - attack.t1102
 23    - attack.t1102.001
 24logsource:
 25    category: network_connection
 26    product: windows
 27detection:
 28    selection:
 29        Initiated: 'true'
 30        DestinationHostname|endswith:
 31            - '.t.me'
 32            - '4shared.com'
 33            - 'anonfiles.com'
 34            - 'cdn.discordapp.com'
 35            - 'cloudflare.com'
 36            - 'ddns.net'
 37            - 'discord.com'
 38            - 'docs.google.com'
 39            - 'drive.google.com'
 40            - 'dropbox.com'
 41            - 'dropmefiles.com'
 42            - 'facebook.com'
 43            - 'feeds.rapidfeeds.com'
 44            - 'fotolog.com'
 45            - 'ghostbin.co/'
 46            - 'githubusercontent.com'
 47            - 'gofile.io'
 48            - 'hastebin.com'
 49            - 'imgur.com'
 50            - 'livejournal.com'
 51            - 'mediafire.com'
 52            - 'mega.co.nz'
 53            - 'mega.nz'
 54            - 'onedrive.com'
 55            - 'paste.ee'
 56            - 'pastebin.com'
 57            - 'pastebin.pl'
 58            - 'pastetext.net'
 59            - 'privatlab.com'
 60            - 'privatlab.net'
 61            - 'reddit.com'
 62            - 'send.exploit.in'
 63            - 'sendspace.com'
 64            - 'steamcommunity.com'
 65            - 'storage.googleapis.com'
 66            - 'technet.microsoft.com'
 67            - 'temp.sh'
 68            - 'transfer.sh'
 69            - 'twitter.com'
 70            - 'ufile.io'
 71            - 'abuse.ch'
 72            - 'vimeo.com'
 73            - 'wetransfer.com'
 74            - 'youtube.com'
 75    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
 76    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
 77    filter_main_chrome:
 78        Image:
 79            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 80            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 81    filter_main_chrome_appdata:
 82        Image|startswith: 'C:\Users\'
 83        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
 84    filter_main_firefox:
 85        Image:
 86            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 87            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 88    filter_main_firefox_appdata:
 89        Image|startswith: 'C:\Users\'
 90        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
 91    filter_main_ie:
 92        Image:
 93            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 94            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 95    filter_main_edge_1:
 96        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 97        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 98        - Image:
 99              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
100              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
101    filter_main_edge_2:
102        Image|startswith:
103            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
104            - 'C:\Program Files\Microsoft\EdgeCore\'
105        Image|endswith:
106            - '\msedge.exe'
107            - '\msedgewebview2.exe'
108    filter_main_safari:
109        Image|contains:
110            - 'C:\Program Files (x86)\Safari\'
111            - 'C:\Program Files\Safari\'
112        Image|endswith: '\safari.exe'
113    filter_main_defender:
114        Image|contains:
115            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
116            - 'C:\Program Files\Windows Defender\'
117            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
118        Image|endswith:
119            - '\MsMpEng.exe' # Microsoft Defender executable
120            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
121    filter_main_prtg:
122        # Paessler's PRTG Network Monitor
123        Image|endswith:
124            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
125            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
126    filter_main_brave:
127        Image|startswith: 'C:\Program Files\BraveSoftware\'
128        Image|endswith: '\brave.exe'
129    filter_main_maxthon:
130        Image|contains: '\AppData\Local\Maxthon\'
131        Image|endswith: '\maxthon.exe'
132    filter_main_opera:
133        Image|contains: '\AppData\Local\Programs\Opera\'
134        Image|endswith: '\opera.exe'
135    filter_main_seamonkey:
136        Image|startswith:
137            - 'C:\Program Files\SeaMonkey\'
138            - 'C:\Program Files (x86)\SeaMonkey\'
139        Image|endswith: '\seamonkey.exe'
140    filter_main_vivaldi:
141        Image|contains: '\AppData\Local\Vivaldi\'
142        Image|endswith: '\vivaldi.exe'
143    filter_main_whale:
144        Image|startswith:
145            - 'C:\Program Files\Naver\Naver Whale\'
146            - 'C:\Program Files (x86)\Naver\Naver Whale\'
147        Image|endswith: '\whale.exe'
148    # Note: The TOR browser shouldn't be something you allow in your corporate network.
149    # filter_main_tor:
150    #     Image|contains: '\Tor Browser\'
151    filter_main_whaterfox:
152        Image|startswith:
153            - 'C:\Program Files\Waterfox\'
154            - 'C:\Program Files (x86)\Waterfox\'
155        Image|endswith: '\Waterfox.exe'
156    filter_main_midori:
157        Image|contains: '\AppData\Local\Programs\midori-ng\'
158        Image|endswith: '\Midori Next Generation.exe'
159    filter_main_slimbrowser:
160        Image|startswith:
161            - 'C:\Program Files\SlimBrowser\'
162            - 'C:\Program Files (x86)\SlimBrowser\'
163        Image|endswith: '\slimbrowser.exe'
164    filter_main_flock:
165        Image|contains: '\AppData\Local\Flock\'
166        Image|endswith: '\Flock.exe'
167    filter_main_phoebe:
168        Image|contains: '\AppData\Local\Phoebe\'
169        Image|endswith: '\Phoebe.exe'
170    filter_main_falkon:
171        Image|startswith:
172            - 'C:\Program Files\Falkon\'
173            - 'C:\Program Files (x86)\Falkon\'
174        Image|endswith: '\falkon.exe'
175    filter_main_qtweb:
176        Image|startswith:
177            - 'C:\Program Files (x86)\QtWeb\'
178            - 'C:\Program Files\QtWeb\'
179        Image|endswith: '\QtWeb.exe'
180    filter_main_avant:
181        Image|startswith:
182            - 'C:\Program Files (x86)\Avant Browser\'
183            - 'C:\Program Files\Avant Browser\'
184        Image|endswith: '\avant.exe'
185    filter_main_whatsapp:
186        Image|startswith:
187            - 'C:\Program Files (x86)\WindowsApps\'
188            - 'C:\Program Files\WindowsApps\'
189        Image|endswith: '\WhatsApp.exe'
190        DestinationHostname|endswith: 'facebook.com'
191    filter_main_telegram:
192        Image|contains: '\AppData\Roaming\Telegram Desktop\'
193        Image|endswith: '\Telegram.exe'
194        DestinationHostname|endswith: '.t.me'
195    filter_main_onedrive:
196        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
197        Image|endswith: '\OneDrive.exe'
198        DestinationHostname|endswith: 'onedrive.com'
199    filter_main_dropbox:
200        Image|startswith:
201            - 'C:\Program Files (x86)\Dropbox\Client\'
202            - 'C:\Program Files\Dropbox\Client\'
203        Image|endswith:
204            - '\Dropbox.exe'
205            - '\DropboxInstaller.exe'
206        DestinationHostname|endswith: 'dropbox.com'
207    filter_main_mega:
208        Image|endswith:
209            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
210            #       In practice please apply exact path to avoid basic path bypass techniques.
211            - '\MEGAsync.exe'
212            - '\MEGAsyncSetup32_*RC.exe' # Beta versions
213            - '\MEGAsyncSetup32.exe' # Installers 32bit
214            - '\MEGAsyncSetup64.exe' # Installers 64bit
215            - '\MEGAupdater.exe'
216        DestinationHostname|endswith:
217            - 'mega.co.nz'
218            - 'mega.nz'
219    filter_main_googledrive:
220        Image|contains:
221            - 'C:\Program Files\Google\Drive File Stream\'
222            - 'C:\Program Files (x86)\Google\Drive File Stream\'
223        Image|endswith: 'GoogleDriveFS.exe'
224        DestinationHostname|endswith: 'drive.google.com'
225    filter_main_discord:
226        Image|contains: '\AppData\Local\Discord\'
227        Image|endswith: '\Discord.exe'
228        DestinationHostname|endswith:
229            - 'discord.com'
230            - 'cdn.discordapp.com'
231    # filter_optional_qlik:
232    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
233    condition: selection and not 1 of filter_main_*
234falsepositives:
235    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
236    - Ninite contacting githubusercontent.com
237level: high

References

Related rules

to-top