EXPLORE

← Back to Explore

T1102.001

Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likeliho...

ESXiLinuxmacOSWindows

7

Detections

2

Sources

6

Threat Actors

BY SOURCE

4sigma3elastic

PROCEDURES (7)

Service1 detections

Auto-extracted: 1 detections for service

C21 detections

Auto-extracted: 1 detections for c2

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Download1 detections

Auto-extracted: 1 detections for download

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (6)

APT41 BRONZE BUTLER Kimsuky Patchwork Rocke RTM

DETECTIONS (7)

Connection to Commonly Abused Web Services

Google Calendar C2 via Script Interpreter

Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

New Connection Initiated To Potential Dead Drop Resolver Domain

Potential Etherhiding C2 via Blockchain Connection

Raw Paste Service Access