Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement protects against Dead Drop Resolver through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1102.001 | Dead Drop Resolver | |
| CM-06 | Configuration Settings | mitigates | T1102.001 | Dead Drop Resolver | |
| SI-03 | Malicious Code Protection | mitigates | T1102.001 | Dead Drop Resolver | |
| CM-02 | Baseline Configuration | mitigates | T1102.001 | Dead Drop Resolver | |
| CM-07 | Least Functionality | mitigates | T1102.001 | Dead Drop Resolver | |
| SI-04 | System Monitoring | mitigates | T1102.001 | Dead Drop Resolver | |
| AC-04 | Information Flow Enforcement | mitigates | T1102.001 | Dead Drop Resolver | |
| SC-07 | Boundary Protection | mitigates | T1102.001 | Dead Drop Resolver |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1102.001 | Dead Drop Resolver | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1102.001 | Dead Drop Resolver |