Detects external IP address lookups by non-browser processes via services such as “api.ipify.org”. This could be indicative of potential post compromise internet test activity.
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
- id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
- https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
- attack.discovery
- attack.t1016
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
- 'www.ip.cn'
- 'l2.io'
- DestinationHostname|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
imNetworkSession
| where ((DstHostname in~ ("www.ip.cn", "l2.io")) or (DstHostname contains "api.2ip.ua" or DstHostname contains "api.bigdatacloud.net" or DstHostname contains "api.ipify.org" or DstHostname contains "bot.whatismyipaddress.com" or DstHostname contains "canireachthe.net" or DstHostname contains "checkip.amazonaws.com" or DstHostname contains "checkip.dyndns.org" or DstHostname contains "curlmyip.com" or DstHostname contains "db-ip.com" or DstHostname contains "edns.ip-api.com" or DstHostname contains "eth0.me" or DstHostname contains "freegeoip.app" or DstHostname contains "geoipy.com" or DstHostname contains "getip.pro" or DstHostname contains "icanhazip.com" or DstHostname contains "ident.me" or DstHostname contains "ifconfig.io" or DstHostname contains "ifconfig.me" or DstHostname contains "ip-api.com" or DstHostname contains "ip.360.cn" or DstHostname contains "ip.anysrc.net" or DstHostname contains "ip.taobao.com" or DstHostname contains "ip.tyk.nu" or DstHostname contains "ipaddressworld.com" or DstHostname contains "ipapi.co" or DstHostname contains "ipconfig.io" or DstHostname contains "ipecho.net" or DstHostname contains "ipinfo.io" or DstHostname contains "ipip.net" or DstHostname contains "ipof.in" or DstHostname contains "ipv4.icanhazip.com" or DstHostname contains "ipv4bot.whatismyipaddress.com" or DstHostname contains "ipv6-test.com" or DstHostname contains "ipwho.is" or DstHostname contains "jsonip.com" or DstHostname contains "myexternalip.com" or DstHostname contains "seeip.org" or DstHostname contains "wgetip.com" or DstHostname contains "whatismyip.akamai.com" or DstHostname contains "whois.pconline.com.cn" or DstHostname contains "wtfismyip.com")) and (not(((SrcProcessName endswith "\\brave.exe" or DstProcessName endswith "\\brave.exe") or ((SrcProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (DstProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"))) or ((SrcProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (DstProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"))) or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"))) or (SrcProcessName endswith "\\maxthon.exe" or DstProcessName endswith "\\maxthon.exe") or ((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\") or (SrcProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe" or DstProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe") or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")))) or (((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or SrcProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\") or (DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or DstProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) and ((SrcProcessName endswith "\\msedge.exe" or SrcProcessName endswith "\\msedgewebview2.exe") or (DstProcessName endswith "\\msedge.exe" or DstProcessName endswith "\\msedgewebview2.exe"))) or (SrcProcessName endswith "\\opera.exe" or DstProcessName endswith "\\opera.exe") or (SrcProcessName endswith "\\safari.exe" or DstProcessName endswith "\\safari.exe") or (SrcProcessName endswith "\\seamonkey.exe" or DstProcessName endswith "\\seamonkey.exe") or (SrcProcessName endswith "\\vivaldi.exe" or DstProcessName endswith "\\vivaldi.exe") or (SrcProcessName endswith "\\whale.exe" or DstProcessName endswith "\\whale.exe"))))| Sentinel Table | Notes |
|---|---|
imNetworkSession | Ensure this data connector is enabled |