Suspicious Network Connection to IP Lookup Service APIs

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Sigma rule (View on GitHub)

  1title: Suspicious Network Connection to IP Lookup Service APIs
  2id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
  3related:
  4    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
  5      type: derived
  6status: experimental
  7description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
  8references:
  9    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
 10    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
 11    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
 12    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
 13author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
 14date: 2023-04-24
 15modified: 2024-03-22
 16tags:
 17    - attack.discovery
 18    - attack.t1016
 19logsource:
 20    category: network_connection
 21    product: windows
 22detection:
 23    selection:
 24        - DestinationHostname:
 25              - 'www.ip.cn'
 26              - 'l2.io'
 27        - DestinationHostname|contains:
 28              - 'api.2ip.ua'
 29              - 'api.bigdatacloud.net'
 30              - 'api.ipify.org'
 31              - 'bot.whatismyipaddress.com'
 32              - 'canireachthe.net'
 33              - 'checkip.amazonaws.com'
 34              - 'checkip.dyndns.org'
 35              - 'curlmyip.com'
 36              - 'db-ip.com'
 37              - 'edns.ip-api.com'
 38              - 'eth0.me'
 39              - 'freegeoip.app'
 40              - 'geoipy.com'
 41              - 'getip.pro'
 42              - 'icanhazip.com'
 43              - 'ident.me'
 44              - 'ifconfig.io'
 45              - 'ifconfig.me'
 46              - 'ip-api.com'
 47              - 'ip.360.cn'
 48              - 'ip.anysrc.net'
 49              - 'ip.taobao.com'
 50              - 'ip.tyk.nu'
 51              - 'ipaddressworld.com'
 52              - 'ipapi.co'
 53              - 'ipconfig.io'
 54              - 'ipecho.net'
 55              - 'ipinfo.io'
 56              - 'ipip.net'
 57              - 'ipof.in'
 58              - 'ipv4.icanhazip.com'
 59              - 'ipv4bot.whatismyipaddress.com'
 60              - 'ipv6-test.com'
 61              - 'ipwho.is'
 62              - 'jsonip.com'
 63              - 'myexternalip.com'
 64              - 'seeip.org'
 65              - 'wgetip.com'
 66              - 'whatismyip.akamai.com'
 67              - 'whois.pconline.com.cn'
 68              - 'wtfismyip.com'
 69    filter_optional_brave:
 70        Image|endswith: '\brave.exe'
 71    filter_optional_chrome:
 72        Image:
 73            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 74            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 75    filter_optional_firefox:
 76        Image:
 77            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 78            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 79    filter_optional_ie:
 80        Image:
 81            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 82            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 83    filter_optional_maxthon:
 84        Image|endswith: '\maxthon.exe'
 85    filter_optional_edge_1:
 86        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 87        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 88        - Image:
 89              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 90              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 91    filter_optional_edge_2:
 92        Image|startswith:
 93            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
 94            - 'C:\Program Files\Microsoft\EdgeCore\'
 95        Image|endswith:
 96            - '\msedge.exe'
 97            - '\msedgewebview2.exe'
 98    filter_optional_opera:
 99        Image|endswith: '\opera.exe'
100    filter_optional_safari:
101        Image|endswith: '\safari.exe'
102    filter_optional_seamonkey:
103        Image|endswith: '\seamonkey.exe'
104    filter_optional_vivaldi:
105        Image|endswith: '\vivaldi.exe'
106    filter_optional_whale:
107        Image|endswith: '\whale.exe'
108    condition: selection and not 1 of filter_optional_*
109falsepositives:
110    - Legitimate use of the external websites for troubleshooting or network monitoring
111level: medium

References

Related rules

to-top