Detect Dead Drop Resolver in Sumo Logic CSE
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries post content (dead drop resolvers) on services like Pastebin, GitHub, Twitter, Google Docs, YouTube, or Microsoft TechNet with embedded and often obfuscated or encoded domains or IP addresses. Infected victims reach out to these resolvers to obtain real C2 server addresses, allowing attackers to change infrastructure dynamically while hiding behind trusted domains. This technique leverages the legitimacy and SSL/TLS encryption of popular web services to blend into normal network traffic and protect back-end C2 infrastructure from discovery through malware binary analysis.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Sub-technique
- T1102.001 Dead Drop Resolver
- Canonical reference
- https://attack.mitre.org/techniques/T1102/001/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|t\.co|docs\.google\.com|drive\.google\.com|sites\.google\.com|youtube\.com|technet\.microsoft\.com|livejournal\.com|imgur\.com|reddit\.com|workers\.dev|amazonaws\.com|s3\.amazonaws\.com|onedrive\.live\.com|sharepoint\.com|notion\.so|trello\.com|discord\.com|discordapp\.com|telegram\.org|t\.me)/
| parse regex field=_raw "(?i)Image:\s*(?<ProcessImage>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationHostname:\s*(?<DestHost>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)QueryName:\s*(?<QueryName>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)CommandLine:\s*(?<CommandLine>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)ParentImage:\s*(?<ParentImage>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User:\s*(?<User>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationIp:\s*(?<DestIP>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationPort:\s*(?<DestPort>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)Computer:\s*(?<Computer>[^\r\n]+)" nodrop
| eval TargetHost = if (!isNull(DestHost) && DestHost != "", DestHost, QueryName)
| eval ProcessName = toLowerCase(if (!isNull(ProcessImage), ProcessImage, ""))
| eval IsSuspiciousProcess = if (ProcessName matches /.*?(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe).*/, 1, 0)
| eval IsKnownBrowser = if (ProcessName matches /.*?(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe).*/, 1, 0)
| eval IsPastebin = if (TargetHost matches /.*?(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com).*/, 1, 0)
| eval IsGitHubRaw = if (TargetHost matches /.*?(raw\.githubusercontent\.com|gist\.github\.com).*/, 1, 0)
| eval IsSocialMedia = if (TargetHost matches /.*?(api\.twitter\.com|t\.co|reddit\.com|livejournal\.com).*/, 1, 0)
| eval IsCloudStorage = if (TargetHost matches /.*?(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com).*/, 1, 0)
| eval IsDiscordTelegram = if (TargetHost matches /.*?(discord\.com|discordapp\.com|telegram\.org|t\.me).*/, 1, 0)
| eval RiskScore = IsSuspiciousProcess + IsPastebin + IsGitHubRaw + IsSocialMedia + IsCloudStorage + IsDiscordTelegram
| where IsSuspiciousProcess = 1 or (IsKnownBrowser = 0 and RiskScore > 0)
| fields _messageTime, Computer, User, ProcessName, ProcessImage, ParentImage, CommandLine, TargetHost, DestIP, DestPort, IsSuspiciousProcess, IsKnownBrowser, IsPastebin, IsGitHubRaw, IsSocialMedia, IsCloudStorage, IsDiscordTelegram, RiskScore
| sort by _messageTime descSumo Logic query detecting dead drop resolver access by parsing Sysmon Event IDs 3 (Network Connect) and 22 (DNS Query) from Windows endpoint log sources. Extracts process, destination, and command-line fields to identify suspicious or non-browser processes contacting known paste sites, raw GitHub content, social media APIs, and cloud storage platforms used as C2 dead drop resolvers.
Data Sources
Required Tables
False Positives & Tuning
- Software update mechanisms using curl.exe or PowerShell to download update manifests from GitHub releases or cloud storage buckets
- Legitimate penetration testing tooling or red team infrastructure running from test endpoints
- IT automation scripts (e.g., PowerShell DSC, Ansible WinRM) fetching configuration from SharePoint or OneDrive during scheduled maintenance
Other platforms for T1102.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Dead Drop Resolver — Pastebin C2 Address Retrieval
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden' and 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network connection from powershell.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com from the powershell.exe process. Sysmon Event ID 11: File creation event for ddr_test_output.txt in %TEMP%.
- Test 2cURL Dead Drop Resolver — GitHub Raw Content Fetch
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'raw.githubusercontent.com' and '-o' flag. Sysmon Event ID 3: Network connection from curl.exe to raw.githubusercontent.com port 443. Sysmon Event ID 22: DNS query for raw.githubusercontent.com. Sysmon Event ID 11: File creation event for ddr_github_test.txt in %TEMP%.
- Test 3WScript Dead Drop Resolver — VBScript Fetching Content from Legitimate Service
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine referencing pastebin.com URL. Sysmon Event ID 3: Network connection from wscript.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com from wscript.exe process. File creation in C:\Windows\Temp\.
- Test 4Certutil Dead Drop — Fetching Encoded Content from Web Service
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache' and 'pastebin.com'. Sysmon Event ID 3: Network connection from certutil.exe to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. Sysmon Event ID 11: File creation of ddr_certutil_test.txt. Windows Security Event ID 4688 (if command line auditing enabled).
References (11)
- https://attack.mitre.org/techniques/T1102/001/
- https://www.welivesecurity.com/2019/10/03/who-is-monsieur-fancy-bear/
- https://securelist.com/the-banking-trojans-in-brazil-july-2020/97372/
- https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation
- https://www.fireeye.com/blog/threat-research/2014/09/darwin-s-favorite-apt-group-2.html
- https://www.paloaltonetworks.com/blog/2017/06/unit42-paranoid-plugx/
- https://research.checkpoint.com/2022/apt35-exploits-log4shell-campaign/
- https://www.zscaler.com/blogs/security-research/kimsuky-translatext-chrome-extension
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-network-events
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1102.001/T1102.001.md
Unlock Pro Content
Get the full detection package for T1102.001 including response playbook, investigation guide, and atomic red team tests.