Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0058: Detection Strategy for Web Service: Dead Drop Resolver

This detection strategy is tied to ATT&CK technique T1102.001, Dead Drop Resolver: adversaries using legitimate external web services to publish or retriev...

EnterpriseDET0058Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to ATT&CK technique T1102.001, Dead Drop Resolver: adversaries using legitimate external web services to publish or retrieve pointers to command-and-control infrastructure. The business significance is that normal-looking web traffic to trusted or popular sites can become part of C2 discovery, making simple domain blocking or perimeter-only thinking insufficient.

Executive priority

Prioritize this as a control-validation topic for command-and-control resilience. Leaders should ask whether SOC, network, proxy, DNS, and endpoint teams can distinguish normal access to legitimate web services from unusual resolver-like behavior, and whether incident response playbooks account for C2 that is indirectly discovered through public web content. Because the ATT&CK detection strategy object contains no official detection text, coverage should be proven with local telemetry and testing rather than assumed from ATT&CK alone.

Technical view

The detection strategy object has no platform, tactic, description, or detection details of its own, but it detects T1102.001 in the command-and-control tactic. Defensive validation should therefore focus on evidence around endpoints on ESXi, Linux, macOS, and Windows reaching legitimate external web services and then connecting to derived domains or IP addresses. SOC teams should look for correlated patterns: unusual web-service access by processes or hosts, encoded or obfuscated content retrieval where visible, followed by new outbound C2-like destinations.

Likely telemetry

  • Proxy and secure web gateway logs for outbound web requests to external services
  • DNS query logs and resolver telemetry for domains contacted after web-service access
  • Firewall or network flow records showing subsequent outbound connections to derived IPs or domains
  • Endpoint process and network connection telemetry from ESXi, Linux, macOS, and Windows where available
  • TLS/SNI, HTTP metadata, and URL path/referrer data where collected and legally permitted

Detection direction

  • Validate whether detections correlate web-service access with later outbound connections rather than relying only on reputation or blocklists.
  • Tune for business-approved use of popular web and social platforms to reduce false positives while preserving visibility into unusual hosts, service accounts, servers, and rare processes making such requests.
  • Check blind spots created by encrypted traffic, unmanaged endpoints, limited proxy logging, direct-to-internet egress, and missing endpoint process-to-network correlation.
  • Use the relationship to T1102.001 as the analytic anchor: the relevant behavior is use of legitimate external web services as a resolver for additional C2 infrastructure.

Mitigation priorities

  • Maintain centralized egress visibility through proxy, DNS, firewall, and endpoint telemetry before depending on alert logic.
  • Apply least-privilege egress controls where practical, especially for servers and systems that should not browse external web services.
  • Document and review sanctioned use of external web services so detections can distinguish expected business activity from suspicious resolver behavior.
  • Ensure incident response procedures include rapid scoping of follow-on infrastructure contacted after a suspicious web-service request.
  • Use ATT&CK mapping as compliance and readiness evidence only after local telemetry, alert logic, and response playbooks are validated.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy record with no official description or detection content. The most useful context comes from its relationship to T1102.001 Dead Drop Resolver, which is a command-and-control technique involving legitimate external web services that host pointers to additional C2 infrastructure.

This take cannot assert specific detection logic, supported platforms for the strategy itself, active exploitation, adversary attribution, or guaranteed coverage because those details are not present in the supplied detection strategy fields. Local environment architecture, logging depth, and acceptable-use patterns are required to turn this into operational detections.

Official MITRE ATT&CK definition

Detection Strategy for Web Service: Dead Drop Resolver

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1102.001 Dead Drop Resolver Sub-technique This object detects Dead Drop Resolver.
Relationship explorer

All related ATT&CK context

detects · Technique T1102.001: Dead Drop Resolver Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9f27e2ffc04c73fe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9f27e2ffc04c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0058
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use