- Tactics
- Command and Control
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1102.001
Description
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Command and Control tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1001 — Data Obfuscation
- T1008 — Fallback Channels
- T1071 — Application Layer Protocol
- T1090 — Proxy
- T1092 — Communication Through Removable Media
- T1095 — Non-Application Layer Protocol
- T1102 — Web Service
- T1104 — Multi-Stage Channels
- T1105 — Ingress Tool Transfer
- T1132 — Data Encoding
- T1205 — Traffic Signaling
- T1219 — Remote Access Tools