Obfuscated IP Via CLI

 1title: Obfuscated IP Via CLI
 2id: 56d19cb4-6414-4769-9644-1ed35ffbb148
 3status: experimental
 4description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
 5references:
 6    - https://h.43z.one/ipconverter/
 7    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
 8author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 9date: 2022/08/03
10modified: 2023/11/06
11tags:
12    - attack.discovery
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        Image|endswith:
19            - '\ping.exe'
20            - '\arp.exe'
21    selection_ip_1:
22        CommandLine|contains:
23            - ' 0x'
24            - '//0x'
25            - '.0x'
26            - '.00x'
27    selection_ip_2:
28        CommandLine|contains|all:
29            - 'http://%'
30            - '%2e'
31    selection_ip_3:
32        # http://81.4.31754
33        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
34        # http://81.293898
35        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
36        # http://1359248394
37        - CommandLine|re: 'https?://0[0-9]{3,11}'
38        # http://0121.04.0174.012
39        - CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
40        # http://012101076012
41        - CommandLine|re: 'https?://0[0-9]{1,11}'
42        # For octal format
43        - CommandLine|re: ' [0-7]{7,13}'
44    filter_main_valid_ip:
45        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
46    condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
47falsepositives:
48    - Unknown
49level: medium