Skip to content

DET0058 Detection Strategy for Web Service: Dead Drop Resolver

Item Value
ID DET0058
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1102.001 (Dead Drop Resolver)

Analytics

Windows

AN0158

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) etw:Microsoft-Windows-NDIS-PacketCapture TLS Handshake/Network Flow
Mutable Elements
Field Description
TargetDomain FQDN or IP for the hosting site of the dead drop (e.g., pastebin.com, twitter.com)
TimeWindow Defines how close in time the suspicious network and process behavior must occur
UserContext Filter by user or system accounts to reduce noise

Linux

AN0159

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL connect
Network Traffic Content (DC0085) NSM:Flow HTTP/TLS Logs
Mutable Elements
Field Description
TargetDomain Dead drop hosting domain (e.g., GitHub, Google Docs)
PayloadEntropyThreshold Detects high entropy in payloads signaling obfuscation
TimeWindow Causal proximity between access to resolver and follow-up connections

macOS

AN0160

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog subsystem: com.apple.network
Network Connection Creation (DC0082) macos:osquery process_events/socket_events
Mutable Elements
Field Description
TargetService Known services abused for D2 (e.g., iCloud, Dropbox)
UserContext Useful to isolate rare users accessing web services for C2
TimeWindow Max time gap between dead drop resolver fetch and follow-on traffic

ESXi

AN0161

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:vobd Network Events
Network Connection Creation (DC0082) NSM:Firewall Outbound Connections
Mutable Elements
Field Description
DestinationIP Identifies unusual IP destinations embedded in traffic
Protocol Used to detect uncommon protocols (e.g., DNS over HTTPS)
TimeWindow Used to correlate outbound web requests with process execution