Suspicious DNS Query for IP Lookup Service APIs

Severity: medium
Author: Brandon George (blog post), Thomas Patzke
Source: upstream

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

MITRE ATT&CK coverage

Tactic	Techniques
Reconnaissance	`T1590` Gather Victim Network Information

Event coverage

Provider	Event ID	Title
Sysmon	22	DNSEvent (DNS query)

Stages and Predicates

Stage 1: `selection`

or:
QueryName: l2.io
QueryName: www.ip.cn
QueryName|contains: api.2ip.ua
QueryName|contains: api.bigdatacloud.net
QueryName|contains: api.ipify.org
QueryName|contains: bot.whatismyipaddress.com
QueryName|contains: canireachthe.net
QueryName|contains: checkip.amazonaws.com
QueryName|contains: checkip.dyndns.org
QueryName|contains: curlmyip.com
QueryName|contains: db-ip.com
QueryName|contains: edns.ip-api.com
QueryName|contains: eth0.me
QueryName|contains: freegeoip.app
QueryName|contains: geoipy.com
QueryName|contains: getip.pro
QueryName|contains: icanhazip.com
QueryName|contains: ident.me
QueryName|contains: ifconfig.io
QueryName|contains: ifconfig.me
QueryName|contains: ip-api.com
QueryName|contains: ip.360.cn
QueryName|contains: ip.anysrc.net
QueryName|contains: ip.taobao.com
QueryName|contains: ip.tyk.nu
QueryName|contains: ipaddressworld.com
QueryName|contains: ipapi.co
QueryName|contains: ipconfig.io
QueryName|contains: ipecho.net
QueryName|contains: ipinfo.io
QueryName|contains: ipip.net
QueryName|contains: ipof.in
QueryName|contains: ipv4.icanhazip.com
QueryName|contains: ipv4bot.whatismyipaddress.com
QueryName|contains: ipv6-test.com
QueryName|contains: ipwho.is
QueryName|contains: jsonip.com
QueryName|contains: myexternalip.com
QueryName|contains: seeip.org
QueryName|contains: wgetip.com
QueryName|contains: whatismyip.akamai.com
QueryName|contains: whois.pconline.com.cn
QueryName|contains: wtfismyip.com

Stage 2: `not 1 of filter_optional_*`

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\maxthon.exe'
Image|endswith: '\opera.exe'
Image|endswith: '\safari.exe'
Image|endswith: '\seamonkey.exe'
Image|endswith: '\vivaldi.exe'
Image|endswith: '\whale.exe'
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\WindowsApps\MicrosoftEdge.exe` corpus 12 (sigma 12) `\brave.exe` corpus 20 (sigma 20) `\maxthon.exe` corpus 13 (sigma 13) `\msedge.exe` corpus 22 (sigma 22) `\msedgewebview2.exe` corpus 15 (sigma 15) `\opera.exe` corpus 21 (sigma 21) `\safari.exe` corpus 12 (sigma 12) `\seamonkey.exe` corpus 13 (sigma 13) `\vivaldi.exe` corpus 19 (sigma 19) `\whale.exe` corpus 12 (sigma 12)
`Image`	eq	`C:\Program Files (x86)\Google\Chrome\Application\chrome.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Internet Explorer\iexplore.exe` corpus 10 (sigma 10) `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Mozilla Firefox\firefox.exe` corpus 11 (sigma 11) `C:\Program Files\Google\Chrome\Application\chrome.exe` corpus 12 (sigma 12) `C:\Program Files\Internet Explorer\iexplore.exe` corpus 11 (sigma 11) `C:\Program Files\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files\Mozilla Firefox\firefox.exe` corpus 12 (sigma 12)
`Image`	starts_with	`C:\Program Files (x86)\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files (x86)\Microsoft\EdgeWebView\Application\` corpus 10 (sigma 10) `C:\Program Files\Microsoft\EdgeCore\` corpus 11 (sigma 11)
`QueryName`	eq	`l2.io` `www.ip.cn`
`QueryName`	match	`api.2ip.ua` `api.bigdatacloud.net` `api.ipify.org` `bot.whatismyipaddress.com` `canireachthe.net` `checkip.amazonaws.com` `checkip.dyndns.org` `curlmyip.com` `db-ip.com` `edns.ip-api.com` `eth0.me` `freegeoip.app` `geoipy.com` `getip.pro` `icanhazip.com` `ident.me` `ifconfig.io` `ifconfig.me` `ip-api.com` `ip.360.cn` `ip.anysrc.net` `ip.taobao.com` `ip.tyk.nu` `ipaddressworld.com` `ipapi.co` `ipconfig.io` `ipecho.net` `ipinfo.io` `ipip.net` `ipof.in` `ipv4.icanhazip.com` `ipv4bot.whatismyipaddress.com` `ipv6-test.com` `ipwho.is` `jsonip.com` `myexternalip.com` `seeip.org` `wgetip.com` `whatismyip.akamai.com` `whois.pconline.com.cn` `wtfismyip.com`