External IP Address Discovery via Curl

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/02/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects applications making a curl request to a known public IP address lookup web service. Malware commonly 
11performs this action during reconnaissance to assess potential targets and identify the victim's external 
12IP address.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "External IP Address Discovery via Curl"
19note = """ ## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating External IP Address Discovery via Curl
25
26This rule detects macOS processes launching curl (or nscurl) to query common public “what is my IP” and geolocation services, often from unusual parent applications or untrusted/unsigned code. Attackers use this to learn the victim’s outward-facing address and network context to guide follow-on targeting, routing, or staging decisions. A typical pattern is a script or dropped binary spawning curl with a short command that hits ipify/ipinfo/ifconfig-style endpoints immediately after execution.
27
28### Possible investigation steps
29
30- Review the full process tree and timeline around the curl execution to identify the initiating app/script, preceding download or execution activity, and any rapid follow-on discovery or persistence commands.  
31- Examine the curl/nscurl command line and stdout/stderr capture (if available) to confirm the external-IP lookup intent and whether results were written to disk, environment variables, or passed to subsequent processes.  
32- Correlate with network telemetry for the same host and time window to verify the outbound connection, destination IP/ASN, DNS resolution, TLS/SNI details, and any additional unexpected egress to non-lookup infrastructure.  
33- Validate the provenance of the parent executable by checking its path, quarantine/notarization status, signature trust, and recent file creation/modification events to assess whether it was dropped or launched from a user-writable location.  
34- Hunt for repeat occurrences across the endpoint (and fleet) that share the same parent, script content, or destination services, then check for associated indicators like new launch agents/daemons, cron jobs, or suspicious login items.
35
36### False positive analysis
37
38- A user or admin runs a short shell one-liner (bash/zsh with an http-containing command line) that uses curl to quickly confirm the Mac’s external IP during routine troubleshooting, VPN verification, or connectivity checks.  
39- A legitimate but unsigned/not-yet-trusted macOS app launched from /Applications, a mounted /Volumes installer/dmg, or a temporary /private/var/folders path performs an external IP lookup via curl as part of initialization, telemetry, or network diagnostics.
40
41### Response and remediation
42
43- Isolate the affected Mac from the network if the curl/nscurl external-IP lookup is spawned by an unsigned/untrusted parent or from user-writable paths (e.g., /private/var/folders, mounted /Volumes) to prevent follow-on command-and-control.  
44- Quarantine and remove the initiating artifact (app/script/binary) and any associated installers or DMGs, then block its hash and the specific lookup domains contacted (e.g., ipinfo.io, api.ipify.org, ifconfig.me) at egress/DNS to stop repeat discovery.  
45- Hunt for and delete persistence created around the event (LaunchAgents/LaunchDaemons, login items, cron entries) and terminate any remaining suspicious processes that inherit environment/output from the curl call.  
46- Reset exposed credentials and invalidate active sessions if the same parent process also accessed browsers, keychain, SSH keys, or configuration files shortly before/after the lookup, and rotate VPN/API tokens used on the host.  
47- Reimage or restore the endpoint from a known-good snapshot if additional unknown binaries, repeated external-IP lookups, or unexpected outbound connections are observed after cleanup, then validate with a follow-up scan and a clean process baseline.  
48- Escalate to IR leadership immediately if the external-IP lookup is followed by downloads/execution, persistence creation, or connections to newly registered/rare domains, and harden by restricting curl execution for non-admin contexts and tightening macOS app execution controls (Gatekeeper/notarization).
49"""
50risk_score = 21
51rule_id = "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c"
52severity = "low"
53tags = [
54    "Domain: Endpoint",
55    "OS: macOS",
56    "Use Case: Threat Detection",
57    "Tactic: Discovery",
58    "Data Source: Elastic Defend",
59    "Resources: Investigation Guide",
60]
61timestamp_override = "event.ingested"
62type = "eql"
63query = '''
64process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
65  ((process.parent.executable like ("/Applications/*", "/Volumes/*", "/private/var/folders/*")) or
66   (process.parent.name in ("bash", "sh", "zsh") and process.parent.command_line like "*http*") or
67   (process.parent.code_signature.trusted == false or process.code_signature.exists == false)) and
68  process.name in ("curl", "nscurl") and
69  process.args_count <= 5 and
70  process.command_line like ("*ip-api.com*", "*ipwho.is*", "*checkip.dyndns.org*", "*api.ipify.org*",
71                             "*whatismyip.akamai.com*", "*ifcfg.me*", "*ifconfig.me*", "*ident.me*",
72                             "*icanhazip.com*", "*ipecho.net*", "*api.myip.com*", "*checkip.amazonaws.com*",
73                             "*wtfismyip.com*", "*iplogger.*", "*freegeoip.net*", "*ipinfo.io*",
74                             "*geoplugin.net*", "*httpbin.org*", "*myip.opendns.com*")
75'''
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79
80  [rule.threat.tactic]
81  name = "Discovery"
82  id = "TA0007"
83  reference = "https://attack.mitre.org/tactics/TA0007/"
84
85  [[rule.threat.technique]]
86  name = "System Network Configuration Discovery"
87  id = "T1016"
88  reference = "https://attack.mitre.org/techniques/T1016/"
89
90    [[rule.threat.technique.subtechnique]]
91    name = "Internet Connection Discovery"
92    id = "T1016.001"
93    reference = "https://attack.mitre.org/techniques/T1016/001/"