Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Sigma rule (View on GitHub)
1title: Suspicious Network Connection to IP Lookup Service APIs
2id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
3related:
4 - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
5 type: derived
6status: experimental
7description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
8references:
9 - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
10 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
11 - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
13author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-24
15modified: 2024-03-22
16tags:
17 - attack.discovery
18 - attack.t1016
19logsource:
20 category: network_connection
21 product: windows
22detection:
23 selection:
24 - DestinationHostname:
25 - 'www.ip.cn'
26 - 'l2.io'
27 - DestinationHostname|contains:
28 - 'api.2ip.ua'
29 - 'api.bigdatacloud.net'
30 - 'api.ipify.org'
31 - 'bot.whatismyipaddress.com'
32 - 'canireachthe.net'
33 - 'checkip.amazonaws.com'
34 - 'checkip.dyndns.org'
35 - 'curlmyip.com'
36 - 'db-ip.com'
37 - 'edns.ip-api.com'
38 - 'eth0.me'
39 - 'freegeoip.app'
40 - 'geoipy.com'
41 - 'getip.pro'
42 - 'icanhazip.com'
43 - 'ident.me'
44 - 'ifconfig.io'
45 - 'ifconfig.me'
46 - 'ip-api.com'
47 - 'ip.360.cn'
48 - 'ip.anysrc.net'
49 - 'ip.taobao.com'
50 - 'ip.tyk.nu'
51 - 'ipaddressworld.com'
52 - 'ipapi.co'
53 - 'ipconfig.io'
54 - 'ipecho.net'
55 - 'ipinfo.io'
56 - 'ipip.net'
57 - 'ipof.in'
58 - 'ipv4.icanhazip.com'
59 - 'ipv4bot.whatismyipaddress.com'
60 - 'ipv6-test.com'
61 - 'ipwho.is'
62 - 'jsonip.com'
63 - 'myexternalip.com'
64 - 'seeip.org'
65 - 'wgetip.com'
66 - 'whatismyip.akamai.com'
67 - 'whois.pconline.com.cn'
68 - 'wtfismyip.com'
69 filter_optional_brave:
70 Image|endswith: '\brave.exe'
71 filter_optional_chrome:
72 Image:
73 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
74 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
75 filter_optional_firefox:
76 Image:
77 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
78 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
79 filter_optional_ie:
80 Image:
81 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
82 - 'C:\Program Files\Internet Explorer\iexplore.exe'
83 filter_optional_maxthon:
84 Image|endswith: '\maxthon.exe'
85 filter_optional_edge_1:
86 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
87 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
88 - Image:
89 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
90 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
91 filter_optional_edge_2:
92 Image|startswith:
93 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
94 - 'C:\Program Files\Microsoft\EdgeCore\'
95 Image|endswith:
96 - '\msedge.exe'
97 - '\msedgewebview2.exe'
98 filter_optional_opera:
99 Image|endswith: '\opera.exe'
100 filter_optional_safari:
101 Image|endswith: '\safari.exe'
102 filter_optional_seamonkey:
103 Image|endswith: '\seamonkey.exe'
104 filter_optional_vivaldi:
105 Image|endswith: '\vivaldi.exe'
106 filter_optional_whale:
107 Image|endswith: '\whale.exe'
108 condition: selection and not 1 of filter_optional_*
109falsepositives:
110 - Legitimate use of the external websites for troubleshooting or network monitoring
111level: medium
References
Related rules
- Cisco Discovery
- Nltest.EXE Execution
- OpenCanary - SNMP OID Request
- Potential Recon Activity Via Nltest.EXE
- Suspicious Network Command