T1102.001 CrowdStrike LogScale · LogScale

Detect Dead Drop Resolver in CrowdStrike LogScale

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries post content (dead drop resolvers) on services like Pastebin, GitHub, Twitter, Google Docs, YouTube, or Microsoft TechNet with embedded and often obfuscated or encoded domains or IP addresses. Infected victims reach out to these resolvers to obtain real C2 server addresses, allowing attackers to change infrastructure dynamically while hiding behind trusted domains. This technique leverages the legitimacy and SSL/TLS encryption of popular web services to blend into normal network traffic and protect back-end C2 infrastructure from discovery through malware binary analysis.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Sub-technique
T1102.001 Dead Drop Resolver
Canonical reference
https://attack.mitre.org/techniques/T1102/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Dead Drop Resolver Detection - T1102.001
// Detect suspicious processes making DNS or network connections to known dead drop platforms

#event_simpleName = /^(DnsRequest|NetworkConnectIP4|NetworkConnectIP6)$/
| DomainName = /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|t\.co|docs\.google\.com|drive\.google\.com|sites\.google\.com|youtube\.com|youtu\.be|technet\.microsoft\.com|livejournal\.com|imgur\.com|i\.imgur\.com|reddit\.com|old\.reddit\.com|workers\.dev|cloudflare\.com|amazonaws\.com|s3\.amazonaws\.com|onedrive\.live\.com|sharepoint\.com|notion\.so|trello\.com|discord\.com|discordapp\.com|telegram\.org|t\.me)/
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)/
  OR (
    NOT ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe|outlook\.exe|teams\.exe|slack\.exe|onedrive\.exe|dropbox\.exe|svchost\.exe)/
  )
| eval IsSuspiciousProcess = if(ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)/, "true", "false")
| eval IsKnownBrowser = if(ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe)/, "true", "false")
| eval IsPastebin = if(DomainName = /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com)/, "true", "false")
| eval IsGitHubRaw = if(DomainName = /(?i)(raw\.githubusercontent\.com|gist\.github\.com)/, "true", "false")
| eval IsSocialMedia = if(DomainName = /(?i)(api\.twitter\.com|t\.co|reddit\.com|livejournal\.com)/, "true", "false")
| eval IsCloudStorage = if(DomainName = /(?i)(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com)/, "true", "false")
| eval IsDiscordTelegram = if(DomainName = /(?i)(discord\.com|discordapp\.com|telegram\.org|t\.me)/, "true", "false")
| table([@timestamp, ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, DomainName, RemoteAddressIP4, RemotePort, IsSuspiciousProcess, IsKnownBrowser, IsPastebin, IsGitHubRaw, IsSocialMedia, IsCloudStorage, IsDiscordTelegram])
| sort(@timestamp, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) query detecting T1102.001 Dead Drop Resolver by correlating DnsRequest and NetworkConnectIP4/6 events from the Falcon sensor against known dead drop platform domains. Filters for suspicious LOLBins and scripting interpreters as the initiating process, or any non-browser process reaching these platforms, enabling detection of C2 beaconing that leverages trusted web services to obscure infrastructure.

Data Sources

CrowdStrike Falcon Sensor (DnsRequest events)CrowdStrike Falcon Sensor (NetworkConnectIP4/6 events)Falcon Data Replicator (FDR)

Required Tables

DnsRequestNetworkConnectIP4NetworkConnectIP6

False Positives & Tuning

  • PowerShell-based deployment pipelines in CI/CD environments pulling deployment artifacts or secrets from S3 or SharePoint
  • Legitimate Discord or Telegram desktop clients showing as non-browser processes while end users communicate via these platforms
  • Java enterprise applications with embedded HTTP clients calling cloud APIs for telemetry, licensing, or configuration synchronization
Download portable Sigma rule (.yml)

Other platforms for T1102.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Dead Drop Resolver — Pastebin C2 Address Retrieval

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden' and 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network connection from powershell.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com from the powershell.exe process. Sysmon Event ID 11: File creation event for ddr_test_output.txt in %TEMP%.

  2. Test 2cURL Dead Drop Resolver — GitHub Raw Content Fetch

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'raw.githubusercontent.com' and '-o' flag. Sysmon Event ID 3: Network connection from curl.exe to raw.githubusercontent.com port 443. Sysmon Event ID 22: DNS query for raw.githubusercontent.com. Sysmon Event ID 11: File creation event for ddr_github_test.txt in %TEMP%.

  3. Test 3WScript Dead Drop Resolver — VBScript Fetching Content from Legitimate Service

    Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine referencing pastebin.com URL. Sysmon Event ID 3: Network connection from wscript.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com from wscript.exe process. File creation in C:\Windows\Temp\.

  4. Test 4Certutil Dead Drop — Fetching Encoded Content from Web Service

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache' and 'pastebin.com'. Sysmon Event ID 3: Network connection from certutil.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. Sysmon Event ID 11: File creation of ddr_certutil_test.txt. Windows Security Event ID 4688 (if command line auditing enabled).

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1102.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1102Web Service

Related Sub-techniques

T1102.002Bidirectional CommunicationT1102.003One-Way Communication

Related Techniques

T1102Web ServiceT1102.002Bidirectional CommunicationT1102.003One-Way CommunicationT1071.001Web ProtocolsT1568Dynamic ResolutionT1568.002Domain Generation AlgorithmsT1027Obfuscated Files or InformationT1027.001Binary PaddingT1027.010Command ObfuscationT1105Ingress Tool TransferT1132.001Standard EncodingT1059.001PowerShellT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections