053. Detecting Dead Drop Resolver (DDR) Technique

Hello everyone! Today we'll talk about Dead Drop Resolver sub-technique (T1102.001), and how to detect it, of course. We'll look at how ACRStealer abusing it, as seen in this report by AhnLab.


So, the stealer uses three services to obtain the list of C2:

  • Steam
  • Telegraph
  • Google Docs

Ok, in order to detect suspicious activity, we need to find DNS requests related to this services, but not from common applications, for example, Steam, web-browsers, etc. It also depends on your EDR as some of them may not collect all DNS requests made from browsers, so you don't need to exclude it.

In my case Steam has the longes list of exclusions as it includes games, VPN clients, etc (make note that browsers are excluded by default):

event_type: "dnsreq" 

AND

dns_rname: "steamcommunity.com" 

AND NOT 

proc_file_path: ("steam.exe" OR "steamwebhelper.exe" OR "vrwebhelper.exe" OR "cs.exe" OR "avp.exe" OR "wire.exe" OR "svchost.exe" OR "msmpeng.exe" OR "networkservice.exe" OR "intelconnectivityservice.exe" OR "arc.exe" OR "cs_new.exe" OR "spd.exe" OR "eaanticheat.gameservice.exe" OR "ipconfig.exe" OR "expressconnectnetworkservice.exe" OR "left4dead2.exe" OR "dwnetfilter.exe" OR "recruitment tools.exe" OR "snoop_cli.exe" OR "kpm.exe" OR "steam desktop authenticator.exe" OR "charles.exe" OR "csgo.exe" OR "hl2.exe" OR "wmiprvse.exe" OR "intelconnectivitynetworkservice.exe" OR "gearup_booster.exe" OR "streaming_client.exe" OR "rustclient.exe" OR "faceit.exe" OR "whatsapp.exe" OR "rave.exe" OR "killernetworkservice.exe" OR "overwolf.exe" OR "overwolfbrowser.exe" OR "urbanvpnserv.exe")

Telegraph has less exclusions, but still we have quite a long list:

event_type: "dnsreq" 

AND 

dns_rname: "telegra.ph" 

AND NOT 

proc_file_path: ("avp.exe" OR "msedgewebview2.exe" OR "networkservice.exe" OR "ipconfig.exe" OR "svchost.exe" OR "commandcenter.exe" OR "atom.exe" OR "smartscreen.exe" OR "msmpeng.exe" OR "IpTvPlayer.exe" OR "dwnetfilter.exe" OR "WhatsApp.exe" OR "bitrix24.exe" OR "outlook.exe" OR "powerpnt.exe" OR "Charles.exe" OR "acrord32.exe" OR "mattermost.exe" OR "wwahost.exe" OR "express.exe")

Finally, Google! To tell the truth, it's even shorter, have a look:

event_type: "dnsreq" 

AND 

dns_rname: "google.com" 

AND NOT 

proc_file_path: ("CommandCenter.exe" OR "svchost.exe" OR "zen.exe" OR "conhost.exe" OR "avp.exe" OR "ping.exe" OR "midori.exe")

Of course, such exclusions depends on your telemetry. If you have anything to add - leave a comment!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!