Adversaries may use external IP lookups to identify internal network structures or evade detection by masking their true location. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities and uncover hidden attack vectors.
YARA Rule
rule lookupip {
meta:
author = "x0r"
description = "Lookup external IP"
version = "0.1"
strings:
$n1 = "checkip.dyndns.org" nocase
$n2 = "whatismyip.org" nocase
$n3 = "whatsmyipaddress.com" nocase
$n4 = "getmyip.org" nocase
$n5 = "getmyip.co.uk" nocase
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled system backups using Veeam Backup & Replication
Filter/Exclusion: Exclude IP addresses associated with Veeam’s backup services or use a filter for traffic originating from the backup server’s internal IP range.
Scenario: Regular Ansible playbook execution for configuration management
Filter/Exclusion: Exclude IP addresses used by Ansible control nodes or add a filter for traffic initiated from known Ansible management hosts.
Scenario: Powershell Desired State Configuration (DSC) resource synchronization
Filter/Exclusion: Exclude IP addresses used by the DSC pull server or apply a filter for traffic from the DSC configuration management server’s internal IP.
Scenario: SQL Server Agent Jobs performing maintenance tasks like index rebuilds
Filter/Exclusion: Exclude IP addresses associated with the SQL Server instance or apply a filter for traffic originating from the SQL Server’s internal network.
Scenario: AWS Systems Manager (SSM) agent running scheduled commands for patch management
Filter/Exclusion: Exclude IP addresses used by AWS SSM services or apply a filter for traffic from the SSM agent’s internal IP range.