Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Content (DC0085) | etw:Microsoft-Windows-NDIS-PacketCapture | TLS Handshake/Network Flow |
| Field | Description |
|---|---|
| TargetDomain | FQDN or IP for the hosting site of the dead drop (e.g., pastebin.com, twitter.com) |
| TimeWindow | Defines how close in time the suspicious network and process behavior must occur |
| UserContext | Filter by user or system accounts to reduce noise |
Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | netconnect |
| Network Traffic Content (DC0085) | NSM:Flow | HTTP/TLS Logs |
| Field | Description |
|---|---|
| TargetDomain | Dead drop hosting domain (e.g., GitHub, Google Docs) |
| PayloadEntropyThreshold | Detects high entropy in payloads signaling obfuscation |
| TimeWindow | Causal proximity between access to resolver and follow-up connections |
Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | subsystem: com.apple.network |
| Network Connection Creation (DC0082) | macos:osquery | process_events/socket_events |
| Field | Description |
|---|---|
| TargetService | Known services abused for D2 (e.g., iCloud, Dropbox) |
| UserContext | Useful to isolate rare users accessing web services for C2 |
| TimeWindow | Max time gap between dead drop resolver fetch and follow-on traffic |
Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vobd | Network Events |
| Network Connection Creation (DC0082) | NSM:Firewall | Outbound Connections |
| Field | Description |
|---|---|
| DestinationIP | Identifies unusual IP destinations embedded in traffic |
| Protocol | Used to detect uncommon protocols (e.g., DNS over HTTPS) |
| TimeWindow | Used to correlate outbound web requests with process execution |