AN0159: Analytic 0159
Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
Analyst context for executives and security teams
This analytic is about spotting Linux processes or scripts that contact common web services to retrieve content hiding indicators for a secondary command-and-control location. For leaders, the significance is that ordinary-looking web access can be used as a lookup mechanism for later malicious infrastructure, making it harder to rely only on blocklists or obvious C2 destinations.
Executive priority
Prioritize this as a validation point for SOC visibility and incident response readiness on Linux systems. The business question is whether teams can distinguish normal access to common web services from suspicious retrieval behavior that may enable follow-on C2. Because the ATT&CK object provides no official detection logic or tactic mapping, this should drive control validation and telemetry review rather than assumptions of existing coverage.
Technical view
For Linux environments, validate whether endpoint and network telemetry can show which process or script accessed a common web service, the destination, timing, command context where available, and the retrieved content or metadata when policy allows. Since the analytic description centers on dead drop resolver behavior, detection engineering should focus on correlating process execution with outbound web requests and suspicious content retrieval patterns. No ATT&CK relationship context or official detection procedure was supplied, so local baselining is required.
Likely telemetry
- Linux process execution telemetry
- Script interpreter activity on Linux systems
- Outbound web/proxy/DNS connection logs
- HTTP/S request metadata where collected
- Endpoint-to-network correlation showing process-to-destination linkage
Detection direction
- Confirm whether Linux endpoint telemetry can attribute outbound web access to the originating process or script.
- Baseline legitimate automated access to common web services to reduce false positives.
- Look for unusual scripts or processes retrieving external content shortly before additional network activity.
- Correlate web access with DNS, proxy, and endpoint events rather than relying only on destination reputation.
- Identify blind spots where TLS inspection, proxy logging, or endpoint process-network correlation is absent.
Mitigation priorities
- Improve Linux endpoint logging and process-to-network visibility first.
- Ensure proxy, DNS, and network logs are retained and searchable for incident response.
- Restrict unauthorized script execution and outbound access where business requirements allow.
- Use egress controls and allowlisting for high-value Linux systems when feasible.
- Document telemetry and control coverage as compliance and audit evidence for C2 detection readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0159, for Linux. It describes access to common web services to retrieve obfuscated indicators of a secondary C2 server, also described as dead drop resolver behavior. No tactics, relationships, aliases, labels, or official detection details were supplied, so this take focuses on defensive validation rather than specific detection rules.
This assessment is limited to the supplied STIX fields and the MITRE external reference. It does not establish active exploitation, actor attribution, business impact, or guaranteed detection coverage. Local environment baselines, logging depth, privacy constraints, and network architecture determine whether this behavior can be reliably detected.
Analytic 0159
Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9f922dc0b9a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0159Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.