Adversaries may use geolocation lookups to identify and target specific geographic regions or infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential reconnaissance activities and early-stage threat indicators.
YARA Rule
rule lookupgeo {
meta:
author = "x0r"
description = "Lookup Geolocation"
version = "0.1"
strings:
$n1 = "j.maxmind.com" nocase
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs during off-hours to update system configurations or perform maintenance tasks.
Filter/Exclusion: Exclude IP addresses associated with internal infrastructure (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or use a filter like src_ip not in [internal_ip_range].
Scenario: Log Collection from Centralized Logging System
Description: Logs are being collected from remote servers using a tool like ELK Stack or Splunk. These logs may be sourced from internal IPs with geolocation data.
Filter/Exclusion: Exclude IPs associated with log collection agents (e.g., 10.10.0.0/16) or use a filter like src_ip in [log_agent_ip_range].
Scenario: Admin Task Using Remote Desktop (RDP)
Description: An administrator is performing a remote desktop session to troubleshoot an issue. The session may originate from a known internal IP.
Filter/Exclusion: Exclude IPs from known admin workstations (e.g., 10.20.0.0/24) or use a filter like src_ip in [admin_workstation_ips].
Scenario: Cloud Provider Metadata Service Access
Description: A cloud instance (e.g., AWS, Azure) is accessing its own metadata service to retrieve instance details. This access may be flagged due to geolocation lookup.
Filter/Exclusion: Exclude traffic to known metadata endpoints (e.g., 169.254.169.254, 169.254.170.2) or