internal scripts or agents performing network checks may query ip geolocation services. tune by excluding known tools or adding internal allowlists for destination domains or process names and commandlines.

Techniques

Sample rules

Cisco NVM - Suspicious Network Connection to IP Lookup Service API

source: splunk
technicques:
- T1590.005
- T1016

Description

This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services, such as ipinfo.io, icanhazip.com, ip-api.com, and others. These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate network reconnaissance, virtual machine detection, or staging by malware. This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns. The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser processes to reduce noise.

Detection logic

`cisco_network_visibility_module_flowdata`
dest_hostname IN (
        "*api.2ip.ua*", "*api.bigdatacloud.net*", "*api.ipify.org*", "*whatismyipaddress.com*",
        "*canireachthe.net*", "*checkip.amazonaws.com*", "*checkip.dyndns.org*", "*curlmyip.com*",
        "*db-ip.com*", "*edns.ip-api.com*", "*eth0.me*", "*freegeoip.app*", "*geoipy.com*", "*getip.pro*",
        "*icanhazip.com*", "*ident.me*", "*ifconfig.io*", "*ifconfig.me*", "*ip-api.com*", "*ip.360.cn*",
        "*ip.anysrc.net*", "*ip.taobao.com*", "*ip.tyk.nu*", "*ipaddressworld.com*", "*ipapi.co*",
        "*ipconfig.io*", "*ipecho.net*", "*ipinfo.io*", "*ipip.net*", "*iplocation.net*", 
        "*ipof.in*", "*ipv6-test.com*", "*ipwho.is*", "*trackip.net*", "*inet-ip.info*",
        "*jsonip.com*", "*myexternalip.com*", "*seeip.org*",  "*wgetip.com*", 
        "*whatismyip.akamai.com*", "*whois.pconline.com.cn*", "*wtfismyip.com*", "*ip.cn"
        )
NOT process_name IN (
        "brave.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "maxthon.exe",
        "MicrosoftEdge.exe", "msedge.exe", "msedgewebview2.exe", "opera.exe", "safari.exe",
        "seamonkey.exe", "vivaldi.exe", "whale.exe"
  )

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api_filter`