Suspicious DNS Query for IP Lookup Service APIs
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Sigma rule (View on GitHub)
1title: Suspicious DNS Query for IP Lookup Service APIs
2id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
3status: test
4description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
5references:
6 - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
7 - https://twitter.com/neonprimetime/status/1436376497980428318
8 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
9author: Brandon George (blog post), Thomas Patzke
10date: 2021-07-08
11modified: 2024-03-22
12tags:
13 - attack.reconnaissance
14 - attack.t1590
15logsource:
16 product: windows
17 category: dns_query
18detection:
19 selection:
20 - QueryName:
21 - 'www.ip.cn'
22 - 'l2.io'
23 - QueryName|contains:
24 - 'api.2ip.ua'
25 - 'api.bigdatacloud.net'
26 - 'api.ipify.org'
27 - 'bot.whatismyipaddress.com'
28 - 'canireachthe.net'
29 - 'checkip.amazonaws.com'
30 - 'checkip.dyndns.org'
31 - 'curlmyip.com'
32 - 'db-ip.com'
33 - 'edns.ip-api.com'
34 - 'eth0.me'
35 - 'freegeoip.app'
36 - 'geoipy.com'
37 - 'getip.pro'
38 - 'icanhazip.com'
39 - 'ident.me'
40 - 'ifconfig.io'
41 - 'ifconfig.me'
42 - 'ip-api.com'
43 - 'ip.360.cn'
44 - 'ip.anysrc.net'
45 - 'ip.taobao.com'
46 - 'ip.tyk.nu'
47 - 'ipaddressworld.com'
48 - 'ipapi.co'
49 - 'ipconfig.io'
50 - 'ipecho.net'
51 - 'ipinfo.io'
52 - 'ipip.net'
53 - 'ipof.in'
54 - 'ipv4.icanhazip.com'
55 - 'ipv4bot.whatismyipaddress.com'
56 - 'ipv6-test.com'
57 - 'ipwho.is'
58 - 'jsonip.com'
59 - 'myexternalip.com'
60 - 'seeip.org'
61 - 'wgetip.com'
62 - 'whatismyip.akamai.com'
63 - 'whois.pconline.com.cn'
64 - 'wtfismyip.com'
65 filter_optional_brave:
66 Image|endswith: '\brave.exe'
67 filter_optional_chrome:
68 Image:
69 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
70 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
71 filter_optional_firefox:
72 Image:
73 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
74 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
75 filter_optional_ie:
76 Image:
77 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
78 - 'C:\Program Files\Internet Explorer\iexplore.exe'
79 filter_optional_maxthon:
80 Image|endswith: '\maxthon.exe'
81 filter_optional_edge_1:
82 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
83 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
84 - Image:
85 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
86 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
87 filter_optional_edge_2:
88 Image|startswith:
89 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
90 - 'C:\Program Files\Microsoft\EdgeCore\'
91 Image|endswith:
92 - '\msedge.exe'
93 - '\msedgewebview2.exe'
94 filter_optional_opera:
95 Image|endswith: '\opera.exe'
96 filter_optional_safari:
97 Image|endswith: '\safari.exe'
98 filter_optional_seamonkey:
99 Image|endswith: '\seamonkey.exe'
100 filter_optional_vivaldi:
101 Image|endswith: '\vivaldi.exe'
102 filter_optional_whale:
103 Image|endswith: '\whale.exe'
104 condition: selection and not 1 of filter_optional_*
105falsepositives:
106 - Legitimate usage of IP lookup services such as ipify API
107level: medium
References
-
Binary Defense experts share the latest cyber threats, security best practices and insights for your business. Explore our library of cybersecurity resources including webinars, videos, blogs and more.
Read More -
The Trend Micro Managed XDR team investigated several Ducktail-related web browser credential dumping incidents involving different customers.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked
- Bitbucket User Details Export Attempt Detected
- Bitbucket User Permissions Export Attempt