053. Detecting Dead Drop Resolver (DDR) Technique
Hello everyone! Today we'll talk about Dead Drop Resolver sub-technique (T1102.001), and how to detect it, of course. We'll look at how ACRStealer abusing it, as seen in this report by AhnLab.
So, the stealer uses three services to obtain the list of C2:
- Steam
- Telegraph
- Google Docs
Ok, in order to detect suspicious activity, we need to find DNS requests related to this services, but not from common applications, for example, Steam, web-browsers, etc. It also depends on your EDR as some of them may not collect all DNS requests made from browsers, so you don't need to exclude it.
In my case Steam has the longes list of exclusions as it includes games, VPN clients, etc (make note that browsers are excluded by default):
event_type: "dnsreq"
AND
dns_rname: "steamcommunity.com"
AND NOT
proc_file_path: ("steam.exe" OR "steamwebhelper.exe" OR "vrwebhelper.exe" OR "cs.exe" OR "avp.exe" OR "wire.exe" OR "svchost.exe" OR "msmpeng.exe" OR "networkservice.exe" OR "intelconnectivityservice.exe" OR "arc.exe" OR "cs_new.exe" OR "spd.exe" OR "eaanticheat.gameservice.exe" OR "ipconfig.exe" OR "expressconnectnetworkservice.exe" OR "left4dead2.exe" OR "dwnetfilter.exe" OR "recruitment tools.exe" OR "snoop_cli.exe" OR "kpm.exe" OR "steam desktop authenticator.exe" OR "charles.exe" OR "csgo.exe" OR "hl2.exe" OR "wmiprvse.exe" OR "intelconnectivitynetworkservice.exe" OR "gearup_booster.exe" OR "streaming_client.exe" OR "rustclient.exe" OR "faceit.exe" OR "whatsapp.exe" OR "rave.exe" OR "killernetworkservice.exe" OR "overwolf.exe" OR "overwolfbrowser.exe" OR "urbanvpnserv.exe")
Telegraph has less exclusions, but still we have quite a long list:
event_type: "dnsreq"
AND
dns_rname: "telegra.ph"
AND NOT
proc_file_path: ("avp.exe" OR "msedgewebview2.exe" OR "networkservice.exe" OR "ipconfig.exe" OR "svchost.exe" OR "commandcenter.exe" OR "atom.exe" OR "smartscreen.exe" OR "msmpeng.exe" OR "IpTvPlayer.exe" OR "dwnetfilter.exe" OR "WhatsApp.exe" OR "bitrix24.exe" OR "outlook.exe" OR "powerpnt.exe" OR "Charles.exe" OR "acrord32.exe" OR "mattermost.exe" OR "wwahost.exe" OR "express.exe")
Finally, Google! To tell the truth, it's even shorter, have a look:
event_type: "dnsreq"
AND
dns_rname: "google.com"
AND NOT
proc_file_path: ("CommandCenter.exe" OR "svchost.exe" OR "zen.exe" OR "conhost.exe" OR "avp.exe" OR "ping.exe" OR "midori.exe")
Of course, such exclusions depends on your telemetry. If you have anything to add - leave a comment!
See you tomorrow!
Comments
Post a Comment