Suspicious DNS Query for IP Lookup Service APIs

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

Sigma rule (View on GitHub)

 1title: Suspicious DNS Query for IP Lookup Service APIs
 2id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
 3status: test
 4description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
 5references:
 6    - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
 7    - https://twitter.com/neonprimetime/status/1436376497980428318
 8    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
 9author: Brandon George (blog post), Thomas Patzke
10date: 2021/07/08
11modified: 2024/02/08
12tags:
13    - attack.reconnaissance
14    - attack.t1590
15logsource:
16    product: windows
17    category: dns_query
18detection:
19    selection:
20        QueryName|contains:
21            - 'api.2ip.ua'
22            - 'api.bigdatacloud.net'
23            - 'api.ipify.org'
24            - 'bot.whatismyipaddress.com'
25            - 'canireachthe.net'
26            - 'checkip.amazonaws.com'
27            - 'checkip.dyndns.org'
28            - 'curlmyip.com'
29            - 'db-ip.com'
30            - 'edns.ip-api.com'
31            - 'eth0.me'
32            - 'freegeoip.app'
33            - 'geoipy.com'
34            - 'getip.pro'
35            - 'icanhazip.com'
36            - 'ident.me'
37            - 'ifconfig.io'
38            - 'ifconfig.me'
39            - 'ip-api.com'
40            - 'ip.anysrc.net'
41            - 'ip.tyk.nu'
42            - 'ipaddressworld.com'
43            - 'ipapi.co'
44            - 'ipconfig.io'
45            - 'ipecho.net'
46            - 'ipinfo.io'
47            - 'ipof.in'
48            - 'ipv4.icanhazip.com'
49            - 'ipv4bot.whatismyipaddress.com'
50            - 'ipwho.is'
51            - 'l2.io'
52            - 'myexternalip.com'
53            - 'wgetip.com'
54            - 'whatismyip.akamai.com'
55            - 'wtfismyip.com'
56    filter_optional_brave:
57        Image|endswith: '\brave.exe'
58    filter_optional_chrome:
59        Image:
60            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
61            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
62    filter_optional_firefox:
63        Image:
64            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
65            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
66    filter_optional_ie:
67        Image:
68            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
69            - 'C:\Program Files\Internet Explorer\iexplore.exe'
70    filter_optional_maxthon:
71        Image|endswith: '\maxthon.exe'
72    filter_optional_edge_1:
73        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
74        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
75        - Image:
76              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
77              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
78    filter_optional_edge_2:
79        Image|startswith:
80            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
81            - 'C:\Program Files\Microsoft\EdgeCore\'
82        Image|endswith:
83            - '\msedge.exe'
84            - '\msedgewebview2.exe'
85    filter_optional_opera:
86        Image|endswith: '\opera.exe'
87    filter_optional_safari:
88        Image|endswith: '\safari.exe'
89    filter_optional_seamonkey:
90        Image|endswith: '\seamonkey.exe'
91    filter_optional_vivaldi:
92        Image|endswith: '\vivaldi.exe'
93    filter_optional_whale:
94        Image|endswith: '\whale.exe'
95    condition: selection and not 1 of filter_optional_*
96falsepositives:
97    - Legitimate usage of IP lookup services such as ipify API
98level: medium

References

Related rules

to-top