Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0158: Analytic 0158

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

EnterpriseAN0158AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Windows processes or scripts that contact a common web service to retrieve hidden or obfuscated information pointing to a secondary command-and-control location. For leaders, the significance is not the specific web service itself, but the use of trusted or routine web destinations as an indirect way to find attacker infrastructure, which can make simple domain blocklists and perimeter-only monitoring less reliable.

Executive priority

Prioritize this as a resilience and detection-engineering question: can the organization distinguish normal business use of common web services from unusual scripted access that may be resolving follow-on command-and-control infrastructure? This matters for SOC readiness, incident response triage, and audit evidence around monitoring of Windows endpoint activity and outbound web access. Because ATT&CK provides no detection logic or relationship context for this object, investment decisions should be based on whether local telemetry can connect process/script execution to outbound web requests and content retrieval patterns.

Technical view

Validate whether Windows endpoint and network telemetry can show a process or script accessing a common web service and retrieving content that may contain obfuscated indicators for a secondary C2 server. Detection work should focus on process-to-network correlation, script interpreter behavior, unusual command-line patterns, and outbound requests to common web services that are atypical for the host, user, or parent process. Since no official detection query is supplied, teams should develop and test environment-specific logic rather than assuming generic indicators will be sufficient.

Likely telemetry

  • Windows process creation events, including command line, parent process, user, and host context
  • Script execution telemetry from Windows hosts where available
  • Endpoint network connection events correlated to initiating process
  • Proxy, secure web gateway, DNS, and firewall logs showing outbound access to common web services
  • HTTP request metadata and, where policy permits, content inspection or download metadata

Detection direction

  • Confirm that endpoint and network logs can be joined so analysts can identify which Windows process or script initiated a web request.
  • Baseline legitimate business and administrative use of common web services to reduce false positives.
  • Look for unusual scripted or automated access patterns, especially from hosts or users that do not normally retrieve content from those services.
  • Tune detections around behavior and context rather than blocking common services outright, as those services may have legitimate use.
  • Account for blind spots where TLS inspection, endpoint network attribution, script block logging, or proxy visibility is limited.

Mitigation priorities

  • Ensure Windows endpoint logging and outbound web telemetry are enabled and retained at levels useful for incident response.
  • Apply least-privilege and application control principles to reduce unauthorized script execution where operationally feasible.
  • Review egress controls and proxy policies for unmanaged or unusual access to common web services, while avoiding disruption to approved business use.
  • Maintain incident response playbooks for investigating process-linked outbound web activity and potential dead drop resolver behavior.
  • Use local environment baselines to prioritize detections for high-value systems, administrative workstations, and servers with unusual internet access needs.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic for Windows dead drop resolver behavior: a process or script retrieves content from a common web service that contains obfuscated indicators of a secondary C2 server. No tactics, relationships, or official detection logic were supplied, so the practical value is in validating telemetry coverage and building local behavioral analytics.

The supplied ATT&CK fields do not include a detection query, related techniques, threat groups, software, campaigns, or mitigations. This take therefore avoids attribution, active exploitation claims, and guaranteed detection outcomes. Local baselines, logging depth, and inspection policies will determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0158

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
81b03e431de34060...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 81b03e431de3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0158
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use