Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Sigma rule (View on GitHub)
1title: Suspicious Network Connection to IP Lookup Service APIs
2id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
3related:
4 - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
5 type: derived
6status: experimental
7description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
8references:
9 - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
10 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
11 - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
13author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
14date: 2023/04/24
15modified: 2023/05/12
16tags:
17 - attack.discovery
18 - attack.t1016
19logsource:
20 category: network_connection
21 product: windows
22detection:
23 selection:
24 DestinationHostname|contains:
25 - 'api.2ip.ua'
26 - 'api.ipify.org'
27 - 'bot.whatismyipaddress.com'
28 - 'canireachthe.net'
29 - 'checkip.amazonaws.com'
30 - 'checkip.dyndns.org'
31 - 'curlmyip.com'
32 - 'edns.ip-api.com'
33 - 'eth0.me'
34 - 'freegeoip.app'
35 - 'geoipy.com'
36 - 'getip.pro'
37 - 'icanhazip.com'
38 - 'ident.me'
39 - 'ifconfig.io'
40 - 'ifconfig.me'
41 - 'ip-api.com'
42 - 'ip.anysrc.net'
43 - 'ip.tyk.nu'
44 - 'ipaddressworld.com'
45 - 'ipecho.net'
46 - 'ipinfo.io'
47 - 'ipof.in'
48 - 'ipv4.icanhazip.com'
49 - 'ipv4bot.whatismyipaddress.com'
50 - 'ipwho.is'
51 - 'l2.io'
52 - 'myexternalip.com'
53 - 'wgetip.com'
54 - 'whatismyip.akamai.com'
55 - 'wtfismyip.com'
56 filter_optional_brave:
57 Image|endswith: '\brave.exe'
58 filter_optional_chrome:
59 Image:
60 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
61 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
62 filter_optional_firefox:
63 Image:
64 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
65 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
66 filter_optional_ie:
67 Image:
68 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
69 - 'C:\Program Files\Internet Explorer\iexplore.exe'
70 filter_optional_maxthon:
71 Image|endswith: '\maxthon.exe'
72 filter_optional_edge_1:
73 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
74 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
75 - Image:
76 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
77 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
78 filter_optional_edge_2:
79 Image|startswith:
80 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
81 - 'C:\Program Files\Microsoft\EdgeCore\'
82 Image|endswith:
83 - '\msedge.exe'
84 - '\msedgewebview2.exe'
85 filter_optional_opera:
86 Image|endswith: '\opera.exe'
87 filter_optional_safari:
88 Image|endswith: '\safari.exe'
89 filter_optional_seamonkey:
90 Image|endswith: '\seamonkey.exe'
91 filter_optional_vivaldi:
92 Image|endswith: '\vivaldi.exe'
93 filter_optional_whale:
94 Image|endswith: '\whale.exe'
95 condition: selection and not 1 of filter_optional_*
96falsepositives:
97 - Legitimate use of the external websites for troubleshooting or network monitoring
98level: medium