title: Dead Drop Resolver (T1102.001)
id: df00tech-t1102-001
status: experimental
description: "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries post content (dead drop resolvers) on services like Pastebin, GitHub, Twitter, Google Docs, YouTube, or Microsoft TechNet with embedded and often obfuscated or encoded domains or IP addresses. Infected victims reach out to these resolvers to obtain real C2 server addresses, allowing attackers to change infrastructure dynamically while hiding behind trusted domains. This technique leverages the legitimacy and SSL/TLS encryption of popular web services to blend into normal network traffic and protect back-end C2 infrastructure from discovery through malware binary analysis."
references:
  - https://attack.mitre.org/techniques/T1102/001/
  - https://df00tech.com/detections/T1102.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1102.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate developer tooling (git clients, CI/CD agents, IDEs) making programmatic requests to GitHub APIs or raw content URLs"
  - "Software update mechanisms or package managers (npm, pip, Chocolatey) resolving dependencies from GitHub or cloud storage"
  - "IT automation scripts (Ansible, Chef, Puppet, Terraform) using PowerShell or cmd.exe to fetch configuration data from cloud services like S3 or SharePoint"
  - Security monitoring agents or vulnerability scanners that fetch IOC feeds or configuration from Pastebin-like services
  - "Corporate applications that legitimately integrate with Google Drive, SharePoint, or OneDrive using background service processes"
level: high