DNS Request for IP Lookup Service via Unsigned Binary

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/02/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a DNS request is made for an IP lookup service to determine the external IP address of the 
11system via an unsigned or untrusted binary. This is commonly used by malware for reconnaissance before 
12establishing C2 connections.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.network-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "DNS Request for IP Lookup Service via Unsigned Binary"
19note = """ ## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating DNS Request for IP Lookup Service via Unsigned Binary
25
26This detects an unsigned or untrusted process on macOS performing DNS lookups for common “what is my public IP” and geolocation services, a frequent reconnaissance step before external communications. It matters because malware uses the host’s external IP and region to choose C2 infrastructure, gate payload delivery, or evade sandboxing. A typical pattern is a dropped, unsigned Mach-O or script resolving api.ipify.org or ipinfo.io immediately after execution, then initiating outbound beacons.
27
28### Possible investigation steps
29
30- Identify the initiating process and parent chain, then validate whether the binary is expected for the host/user and whether it is actually unsigned versus a transient signature collection issue.  
31- Review the same process’s near-term network activity for follow-on HTTP(S) requests to the resolved service and any subsequent connections to rare/new domains or IPs that could indicate C2 staging.  
32- Pivot from the resolved domain to other endpoints to determine prevalence and timing, then prioritize isolated single-host hits with recent first-seen binaries.  
33- Examine how the binary was introduced by correlating with recent downloads, archive mounts, installer executions, or quarantine/Gatekeeper events around the process start time.  
34- Acquire and analyze the binary (hash reputation, static strings, entitlements, persistence mechanisms, and launch agents/daemons) to confirm intent and scope of compromise.
35
36### False positive analysis
37
38- A developer-built or locally compiled macOS utility/script (run from a user directory) performs a “what is my public IP” DNS lookup for telemetry, diagnostics, or environment detection, and is flagged because it lacks a trusted code signature.  
39- An unsigned helper binary dropped by a legitimate installer/updater workflow briefly runs during setup to validate external connectivity or geolocation by resolving an IP-lookup domain, and is detected before the binary is signed or placed in its final trusted location.
40
41### Response and remediation
42
43- Isolate the affected macOS host from the network if the unsigned process continues to resolve IP-lookup domains (e.g., api.ipify.org, ipinfo.io) or initiates new outbound connections immediately after the lookup.  
44- Quarantine the unsigned executable and any associated scripts from disk (preserving path, hashes, and a copy for analysis) and remove its persistence artifacts such as newly created LaunchAgents/LaunchDaemons, login items, or cron entries tied to the same binary.  
45- Block the observed IP-lookup domains used by the unsigned process at DNS/web egress and add temporary deny rules for any follow-on suspicious destinations the process contacted after resolution.  
46- Reset compromised credentials and invalidate active sessions for the logged-in user if the process originated from user-writable locations (Downloads, Desktop, /tmp) or if additional discovery/collection behavior is found on the host.  
47- Reimage or restore the endpoint from a known-good state when persistence or tampering is confirmed, then verify Gatekeeper/XProtect status, re-enable security tooling, and monitor for recurrence of the same binary hash or domain pattern.  
48- Escalate to the incident response team if the unsigned binary is newly seen in the environment, appears on multiple hosts, or is followed by connections to rare domains/IPs indicative of staging or command-and-control.
49"""
50risk_score = 47
51rule_id = "47e46d85-3963-44a0-b856-bccff48f8676"
52severity = "medium"
53tags = [
54    "Domain: Endpoint",
55    "OS: macOS",
56    "Use Case: Threat Detection",
57    "Tactic: Discovery",
58    "Data Source: Elastic Defend",
59    "Resources: Investigation Guide",
60]
61timestamp_override = "event.ingested"
62type = "eql"
63query = '''
64dns where host.os.type == "macos" and event.action == "lookup_result" and 
65  (process.code_signature.trusted == false or process.code_signature.exists == false) and
66  dns.question.name like~ ("*ip-api.com*", "*ipwho.is*", "*checkip.dyndns.org*", "*api.ipify.org*",
67                           "*api.npoint.io*", "*whatismyip.akamai.com*", "*bot.whatismyipaddress.com*",
68                           "*ifcfg.me*", "*ifconfig.me*", "*ident.me*", "*ipof.in*", "*ip.tyk.nu*",
69                           "*ipwhois.app*", "*freeipapi.com*", "*icanhazip.com*", "*curlmyip.com*",
70                           "*wgetip.com*", "*eth0.me*", "*ipecho.net*", "*ip.appspot.com*",
71                           "*api.myip.com*", "*geoiptool.com*", "*api.2ip.ua*", "*api.ip.sb*",
72                           "*ipinfo.io*", "*checkip.amazonaws.com*", "*wtfismyip.com*", "*iplogger.*",
73                           "*freegeoip.net*", "*freegeoip.app*", "*myip.ipip.net*", "*geoplugin.net*",
74                           "*myip.dnsomatic.com*", "*www.geoplugin.net*", "*api64.ipify.org*",
75                           "*ip4.seeip.org*", "*.geojs.io*", "*portmap.io*", "*api.db-ip.com*",
76                           "*geolocation-db.com*", "*inet-ip.info*", "*httpbin.org*", "*myip.opendns.com*") and
77  not process.executable like "/Users/*/Library/Developer/CoreSimulator/*"
78'''
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83  [rule.threat.tactic]
84  name = "Discovery"
85  id = "TA0007"
86  reference = "https://attack.mitre.org/tactics/TA0007/"
87
88  [[rule.threat.technique]]
89  name = "System Network Configuration Discovery"
90  id = "T1016"
91  reference = "https://attack.mitre.org/techniques/T1016/"
92
93    [[rule.threat.technique.subtechnique]]
94    name = "Internet Connection Discovery"
95    id = "T1016.001"
96    reference = "https://attack.mitre.org/techniques/T1016/001/"