LoFP LoFP / filter internet browser application to minimize the false positive of this detection.

Techniques

Sample rules

Windows Gather Victim Network Info Through Ip Check Web Services

Description

The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like “wtfismyip.com” and “ipinfo.io”. This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine’s IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.

Detection logic

`sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*", "*icanhazip.*") 
|  stats  min(_time) as firstTime max(_time) as lastTime count by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_gather_victim_network_info_through_ip_check_web_services_filter`