External IP Lookup fron Non-Browser Process
editExternal IP Lookup fron Non-Browser Process
editIdentifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Discovery
Version: 5
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editnetwork where network.protocol == "dns" and process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and event.action == "lookup_requested" and /* Add new external IP lookup services here */ dns.question.name : ( "*api.ipify.org", "*freegeoip.app", "*checkip.amazonaws.com", "*checkip.dyndns.org", "*freegeoip.app", "*icanhazip.com", "*ifconfig.*", "*ipecho.net", "*ipgeoapi.com", "*ipinfo.io", "*ip.anysrc.net", "*myexternalip.com", "*myipaddress.com", "*showipaddress.com", "*whatismyipaddress.com", "*wtfismyip.com", "*ipapi.co", "*ip-lookup.net", "*ipstack.com" ) and /* Insert noisy false positives here */ not process.executable : ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\WWAHost.exe", "?:\\Windows\\System32\\smartscreen.exe", "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: System Network Configuration Discovery
- ID: T1016
- Reference URL: https://attack.mitre.org/techniques/T1016/