Suspicious Network Connection to IP Lookup Service APIs

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Sigma rule (View on GitHub)

  1title: Suspicious Network Connection to IP Lookup Service APIs
  2id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
  3related:
  4    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
  5      type: derived
  6status: experimental
  7description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
  8references:
  9    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
 10    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
 11    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
 12    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
 13author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
 14date: 2023/04/24
 15modified: 2024/02/08
 16tags:
 17    - attack.discovery
 18    - attack.t1016
 19logsource:
 20    category: network_connection
 21    product: windows
 22detection:
 23    selection:
 24        DestinationHostname|contains:
 25            - 'api.2ip.ua'
 26            - 'api.bigdatacloud.net'
 27            - 'api.ipify.org'
 28            - 'bot.whatismyipaddress.com'
 29            - 'canireachthe.net'
 30            - 'checkip.amazonaws.com'
 31            - 'checkip.dyndns.org'
 32            - 'curlmyip.com'
 33            - 'db-ip.com'
 34            - 'edns.ip-api.com'
 35            - 'eth0.me'
 36            - 'freegeoip.app'
 37            - 'geoipy.com'
 38            - 'getip.pro'
 39            - 'icanhazip.com'
 40            - 'ident.me'
 41            - 'ifconfig.io'
 42            - 'ifconfig.me'
 43            - 'ip-api.com'
 44            - 'ip.anysrc.net'
 45            - 'ip.tyk.nu'
 46            - 'ipaddressworld.com'
 47            - 'ipapi.co'
 48            - 'ipconfig.io'
 49            - 'ipecho.net'
 50            - 'ipinfo.io'
 51            - 'ipof.in'
 52            - 'ipv4.icanhazip.com'
 53            - 'ipv4bot.whatismyipaddress.com'
 54            - 'ipwho.is'
 55            - 'l2.io'
 56            - 'myexternalip.com'
 57            - 'wgetip.com'
 58            - 'whatismyip.akamai.com'
 59            - 'wtfismyip.com'
 60    filter_optional_brave:
 61        Image|endswith: '\brave.exe'
 62    filter_optional_chrome:
 63        Image:
 64            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 65            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 66    filter_optional_firefox:
 67        Image:
 68            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 69            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 70    filter_optional_ie:
 71        Image:
 72            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 73            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 74    filter_optional_maxthon:
 75        Image|endswith: '\maxthon.exe'
 76    filter_optional_edge_1:
 77        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 78        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 79        - Image:
 80              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 81              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 82    filter_optional_edge_2:
 83        Image|startswith:
 84            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
 85            - 'C:\Program Files\Microsoft\EdgeCore\'
 86        Image|endswith:
 87            - '\msedge.exe'
 88            - '\msedgewebview2.exe'
 89    filter_optional_opera:
 90        Image|endswith: '\opera.exe'
 91    filter_optional_safari:
 92        Image|endswith: '\safari.exe'
 93    filter_optional_seamonkey:
 94        Image|endswith: '\seamonkey.exe'
 95    filter_optional_vivaldi:
 96        Image|endswith: '\vivaldi.exe'
 97    filter_optional_whale:
 98        Image|endswith: '\whale.exe'
 99    condition: selection and not 1 of filter_optional_*
100falsepositives:
101    - Legitimate use of the external websites for troubleshooting or network monitoring
102level: medium

References

Related rules

to-top