New Connection Initiated To Potential Dead Drop Resolver Domain

Severity: high
Author: Sorina Ionescu, X__Junior (Nextron Systems)
Source: upstream

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1102` Web Service, `T1102.001` Web Service: Dead Drop Resolver

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

or:
DestinationHostname|endswith: .t.me
DestinationHostname|endswith: 4shared.com
DestinationHostname|endswith: abuse.ch
DestinationHostname|endswith: anonfiles.com
DestinationHostname|endswith: cdn.discordapp.com
DestinationHostname|endswith: cloudflare.com
DestinationHostname|endswith: ddns.net
DestinationHostname|endswith: discord.com
DestinationHostname|endswith: docs.google.com
DestinationHostname|endswith: drive.google.com
DestinationHostname|endswith: dropbox.com
DestinationHostname|endswith: dropmefiles.com
DestinationHostname|endswith: facebook.com
DestinationHostname|endswith: feeds.rapidfeeds.com
DestinationHostname|endswith: fotolog.com
DestinationHostname|endswith: 'ghostbin.co/'
DestinationHostname|endswith: githubusercontent.com
DestinationHostname|endswith: gofile.io
DestinationHostname|endswith: hastebin.com
DestinationHostname|endswith: imgur.com
DestinationHostname|endswith: livejournal.com
DestinationHostname|endswith: mediafire.com
DestinationHostname|endswith: mega.co.nz
DestinationHostname|endswith: mega.nz
DestinationHostname|endswith: onedrive.com
DestinationHostname|endswith: pages.dev
DestinationHostname|endswith: paste.ee
DestinationHostname|endswith: pastebin.com
DestinationHostname|endswith: pastebin.pl
DestinationHostname|endswith: pastetext.net
DestinationHostname|endswith: pixeldrain.com
DestinationHostname|endswith: privatlab.com
DestinationHostname|endswith: privatlab.net
DestinationHostname|endswith: reddit.com
DestinationHostname|endswith: send.exploit.in
DestinationHostname|endswith: sendspace.com
DestinationHostname|endswith: steamcommunity.com
DestinationHostname|endswith: storage.googleapis.com
DestinationHostname|endswith: technet.microsoft.com
DestinationHostname|endswith: temp.sh
DestinationHostname|endswith: transfer.sh
DestinationHostname|endswith: trycloudflare.com
DestinationHostname|endswith: twitter.com
DestinationHostname|endswith: ufile.io
DestinationHostname|endswith: vimeo.com
DestinationHostname|endswith: w3spaces.com
DestinationHostname|endswith: wetransfer.com
DestinationHostname|endswith: workers.dev
DestinationHostname|endswith: youtube.com
Initiated: true

Stage 2: `not 1 of filter_main_*`

or:
or:
DestinationHostname|endswith: cdn.discordapp.com
DestinationHostname|endswith: discord.com
Image|endswith: '\Discord.exe'
Image|contains: '\AppData\Local\Discord\'
or:
DestinationHostname|endswith: mega.co.nz
DestinationHostname|endswith: mega.nz
or:
Image|endswith: '\MEGAsync.exe'
Image|endswith: '\MEGAsyncSetup32.exe'
Image|endswith: '\MEGAsyncSetup32_*RC.exe'
Image|endswith: '\MEGAsyncSetup64.exe'
Image|endswith: '\MEGAupdater.exe'
or:
Image|endswith: '\Dropbox.exe'
Image|endswith: '\DropboxInstaller.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Dropbox\Client\'
Image|startswith: 'C:\Program Files\Dropbox\Client\'
DestinationHostname|endswith: dropbox.com
or:
Image|endswith: '\MsMpEng.exe'
Image|endswith: '\MsSense.exe'
or:
Image|contains: 'C:\Program Files\Windows Defender Advanced Threat Protection\'
Image|contains: 'C:\Program Files\Windows Defender\'
Image|contains: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
or:
Image|contains: 'C:\Program Files (x86)\Google\Drive File Stream\'
Image|contains: 'C:\Program Files\Google\Drive File Stream\'
DestinationHostname|endswith: drive.google.com
Image|endswith: GoogleDriveFS.exe
or:
Image|contains: 'C:\Program Files (x86)\Safari\'
Image|contains: 'C:\Program Files\Safari\'
Image|endswith: '\safari.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Avant Browser\'
Image|startswith: 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Falkon\'
Image|startswith: 'C:\Program Files\Falkon\'
Image|endswith: '\falkon.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|startswith: 'C:\Program Files\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
or:
Image|startswith: 'C:\Program Files (x86)\QtWeb\'
Image|startswith: 'C:\Program Files\QtWeb\'
Image|endswith: '\QtWeb.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SeaMonkey\'
Image|startswith: 'C:\Program Files\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SlimBrowser\'
Image|startswith: 'C:\Program Files\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Waterfox\'
Image|startswith: 'C:\Program Files\Waterfox\'
Image|endswith: '\Waterfox.exe'
or:
Image|startswith: 'C:\Program Files (x86)\WindowsApps\'
Image|startswith: 'C:\Program Files\WindowsApps\'
DestinationHostname|endswith: facebook.com
Image|endswith: '\WhatsApp.exe'
DestinationHostname|endswith: .t.me
Image|endswith: '\Telegram.exe'
Image|contains: '\AppData\Roaming\Telegram Desktop\'
DestinationHostname|endswith: onedrive.com
Image|endswith: '\OneDrive.exe'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
Image|startswith: 'C:\Users\'
Image|endswith: '\Flock.exe'
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Midori Next Generation.exe'
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Phoebe.exe'
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
Image|endswith: '\maxthon.exe'
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\opera.exe'
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\vivaldi.exe'
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
Image|endswith: 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image: ''
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image: null
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationHostname`	ends_with	`.t.me` `4shared.com` `abuse.ch` `anonfiles.com` corpus 3 (sigma 3) `cdn.discordapp.com` corpus 3 (sigma 3) `cloudflare.com` `ddns.net` corpus 3 (sigma 3) `discord.com` `docs.google.com` `drive.google.com` `dropbox.com` `dropmefiles.com` `facebook.com` `feeds.rapidfeeds.com` `fotolog.com` `ghostbin.co/` `githubusercontent.com` `gofile.io` corpus 3 (sigma 3) `hastebin.com` corpus 3 (sigma 3) `imgur.com` `livejournal.com` `mediafire.com` corpus 3 (sigma 3) `mega.co.nz` corpus 4 (sigma 4) `mega.nz` corpus 4 (sigma 4) `onedrive.com` `pages.dev` corpus 3 (sigma 3) `paste.ee` corpus 3 (sigma 3) `pastebin.com` corpus 3 (sigma 3) `pastebin.pl` corpus 3 (sigma 3) `pastetext.net` corpus 3 (sigma 3) `pixeldrain.com` corpus 2 (sigma 2) `privatlab.com` corpus 3 (sigma 3) `privatlab.net` corpus 3 (sigma 3) `reddit.com` `send.exploit.in` corpus 3 (sigma 3) `sendspace.com` corpus 3 (sigma 3) `steamcommunity.com` `storage.googleapis.com` corpus 3 (sigma 3) `technet.microsoft.com` `temp.sh` corpus 3 (sigma 3) `transfer.sh` corpus 3 (sigma 3) `trycloudflare.com` corpus 4 (sigma 4) `twitter.com` `ufile.io` corpus 3 (sigma 3) `vimeo.com` `w3spaces.com` corpus 3 (sigma 3) `wetransfer.com` `workers.dev` corpus 3 (sigma 3) `youtube.com`
`Image`	ends_with	`C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe` corpus 2 (sigma 2) `C:\Program Files\PRTG Network Monitor\PRTG Probe.exe` corpus 2 (sigma 2) `GoogleDriveFS.exe` `\AppData\Local\Google\Chrome\Application\chrome.exe` corpus 2 (sigma 2) `\AppData\Local\Mozilla Firefox\firefox.exe` corpus 2 (sigma 2) `\Discord.exe` corpus 3 (sigma 3) `\Dropbox.exe` corpus 2 (sigma 2) `\DropboxInstaller.exe` `\Flock.exe` corpus 4 (sigma 4) `\MEGAsync.exe` `\MEGAsyncSetup32.exe` `\MEGAsyncSetup32_*RC.exe` `\MEGAsyncSetup64.exe` `\MEGAupdater.exe` `\Midori Next Generation.exe` corpus 3 (sigma 3) `\MsMpEng.exe` corpus 13 (sigma 13) `\MsSense.exe` corpus 5 (sigma 5) `\OneDrive.exe` `\Phoebe.exe` corpus 4 (sigma 4) `\QtWeb.exe` corpus 2 (sigma 2) `\Telegram.exe` `\Waterfox.exe` corpus 4 (sigma 4) `\WhatsApp.exe` `\WindowsApps\MicrosoftEdge.exe` corpus 12 (sigma 12) `\avant.exe` corpus 4 (sigma 4) `\brave.exe` corpus 20 (sigma 20) `\falkon.exe` corpus 4 (sigma 4) `\maxthon.exe` corpus 13 (sigma 13) `\msedge.exe` corpus 22 (sigma 22) `\msedgewebview2.exe` corpus 15 (sigma 15) `\opera.exe` corpus 21 (sigma 21) `\safari.exe` corpus 12 (sigma 12) `\seamonkey.exe` corpus 13 (sigma 13) `\slimbrowser.exe` corpus 4 (sigma 4) `\vivaldi.exe` corpus 19 (sigma 19) `\whale.exe` corpus 12 (sigma 12)
`Image`	eq	`C:\Program Files (x86)\Google\Chrome\Application\chrome.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Internet Explorer\iexplore.exe` corpus 10 (sigma 10) `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Mozilla Firefox\firefox.exe` corpus 11 (sigma 11) `C:\Program Files\Google\Chrome\Application\chrome.exe` corpus 12 (sigma 12) `C:\Program Files\Internet Explorer\iexplore.exe` corpus 11 (sigma 11) `C:\Program Files\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files\Mozilla Firefox\firefox.exe` corpus 12 (sigma 12)
`Image`	match	`C:\Program Files (x86)\Google\Drive File Stream\` `C:\Program Files (x86)\Safari\` corpus 2 (sigma 2) `C:\Program Files\Google\Drive File Stream\` `C:\Program Files\Safari\` corpus 2 (sigma 2) `C:\Program Files\Windows Defender Advanced Threat Protection\` corpus 2 (sigma 2) `C:\Program Files\Windows Defender\` corpus 2 (sigma 2) `C:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 2 (sigma 2) `\AppData\Local\Discord\` corpus 2 (sigma 2) `\AppData\Local\Flock\` corpus 4 (sigma 4) `\AppData\Local\Maxthon\` corpus 4 (sigma 4) `\AppData\Local\Microsoft\OneDrive\` corpus 4 (sigma 4) `\AppData\Local\Phoebe\` corpus 4 (sigma 4) `\AppData\Local\Programs\Opera\` corpus 5 (sigma 5) `\AppData\Local\Programs\midori-ng\` corpus 3 (sigma 3) `\AppData\Local\Vivaldi\` corpus 4 (sigma 4) `\AppData\Roaming\Telegram Desktop\`
`Image`	starts_with	`C:\Program Files (x86)\Avant Browser\` corpus 4 (sigma 4) `C:\Program Files (x86)\Dropbox\Client\` `C:\Program Files (x86)\Falkon\` corpus 4 (sigma 4) `C:\Program Files (x86)\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files (x86)\Microsoft\EdgeWebView\Application\` corpus 10 (sigma 10) `C:\Program Files (x86)\Naver\Naver Whale\` corpus 4 (sigma 4) `C:\Program Files (x86)\QtWeb\` corpus 2 (sigma 2) `C:\Program Files (x86)\SeaMonkey\` corpus 4 (sigma 4) `C:\Program Files (x86)\SlimBrowser\` corpus 4 (sigma 4) `C:\Program Files (x86)\Waterfox\` corpus 4 (sigma 4) `C:\Program Files (x86)\WindowsApps\` `C:\Program Files\Avant Browser\` corpus 4 (sigma 4) `C:\Program Files\BraveSoftware\` corpus 4 (sigma 4) `C:\Program Files\Dropbox\Client\` `C:\Program Files\Falkon\` corpus 4 (sigma 4) `C:\Program Files\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files\Naver\Naver Whale\` corpus 4 (sigma 4) `C:\Program Files\QtWeb\` corpus 2 (sigma 2) `C:\Program Files\SeaMonkey\` corpus 4 (sigma 4) `C:\Program Files\SlimBrowser\` corpus 4 (sigma 4) `C:\Program Files\Waterfox\` corpus 4 (sigma 4) `C:\Program Files\WindowsApps\` `C:\Users\` corpus 7 (sigma 7)
`Initiated`	eq	`true` corpus 40 (sigma 40)