if the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. validate that this is expected activity and tune the rule to fit your environment variables.

Techniques

Sample rules

External IP Lookup from Non-Browser Process

source: elastic
technicques:
- T1016
- T1614

Description

Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.

Detection logic

network where host.os.type == "windows" and network.protocol == "dns" and
    process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and
    event.action == "lookup_requested" and
    /* Add new external IP lookup services here */
    dns.question.name :
    (
        "*api.ipify.org",
        "*freegeoip.app",
        "*checkip.amazonaws.com",
        "*checkip.dyndns.org",
        "*freegeoip.app",
        "*icanhazip.com",
        "*ifconfig.*",
        "*ipecho.net",
        "*ipgeoapi.com",
        "*ipinfo.io",
        "*ip.anysrc.net",
        "*myexternalip.com",
        "*myipaddress.com",
        "*showipaddress.com",
        "*whatismyipaddress.com",
        "*wtfismyip.com",
        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"
    ) and
    /* Insert noisy false positives here */
    not
    (
      (
        process.executable : (
            "?:\\Program Files\\*.exe",
            "?:\\Program Files (x86)\\*.exe",
            "?:\\Windows\\Prey\\versions\\*\\bin\\node.exe",
            "?:\\Windows\\System32\\WWAHost.exe",
            "?:\\Windows\\System32\\smartscreen.exe",
            "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
            "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
            "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
            "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
            "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
        ) and process.code_signature.trusted == true
      ) or
      (
        (process.name : "Evernote.exe" and process.code_signature.subject_name : "Evernote Corporation" and process.code_signature.trusted == true) or
        (process.name : "firefox.exe" and process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) or
        (process.name : "Loom.exe" and process.code_signature.subject_name : "Loom, Inc." and process.code_signature.trusted == true) or
        (process.name : "opera.exe" and process.code_signature.subject_name : "Opera Norway AS" and process.code_signature.trusted == true) or
        (process.name : "brave.exe" and process.code_signature.subject_name : "Brave Software, Inc." and process.code_signature.trusted == true) or
        (process.name : "vivaldi.exe" and process.code_signature.subject_name : "Vivaldi Technologies AS" and process.code_signature.trusted == true)
      )
    )