Suspicious Network Connection to IP Lookup Service APIs

Severity: medium
Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1016` System Network Configuration Discovery

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

or:
DestinationHostname: l2.io
DestinationHostname: www.ip.cn
DestinationHostname|contains: api.2ip.ua
DestinationHostname|contains: api.bigdatacloud.net
DestinationHostname|contains: api.ipify.org
DestinationHostname|contains: bot.whatismyipaddress.com
DestinationHostname|contains: canireachthe.net
DestinationHostname|contains: checkip.amazonaws.com
DestinationHostname|contains: checkip.dyndns.org
DestinationHostname|contains: curlmyip.com
DestinationHostname|contains: db-ip.com
DestinationHostname|contains: edns.ip-api.com
DestinationHostname|contains: eth0.me
DestinationHostname|contains: freegeoip.app
DestinationHostname|contains: geoipy.com
DestinationHostname|contains: getip.pro
DestinationHostname|contains: icanhazip.com
DestinationHostname|contains: ident.me
DestinationHostname|contains: ifconfig.io
DestinationHostname|contains: ifconfig.me
DestinationHostname|contains: ip-api.com
DestinationHostname|contains: ip.360.cn
DestinationHostname|contains: ip.anysrc.net
DestinationHostname|contains: ip.taobao.com
DestinationHostname|contains: ip.tyk.nu
DestinationHostname|contains: ipaddressworld.com
DestinationHostname|contains: ipapi.co
DestinationHostname|contains: ipconfig.io
DestinationHostname|contains: ipecho.net
DestinationHostname|contains: ipinfo.io
DestinationHostname|contains: ipip.net
DestinationHostname|contains: ipof.in
DestinationHostname|contains: ipv4.icanhazip.com
DestinationHostname|contains: ipv4bot.whatismyipaddress.com
DestinationHostname|contains: ipv6-test.com
DestinationHostname|contains: ipwho.is
DestinationHostname|contains: jsonip.com
DestinationHostname|contains: myexternalip.com
DestinationHostname|contains: seeip.org
DestinationHostname|contains: wgetip.com
DestinationHostname|contains: whatismyip.akamai.com
DestinationHostname|contains: whois.pconline.com.cn
DestinationHostname|contains: wtfismyip.com

Stage 2: `not 1 of filter_optional_*`

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\maxthon.exe'
Image|endswith: '\opera.exe'
Image|endswith: '\safari.exe'
Image|endswith: '\seamonkey.exe'
Image|endswith: '\vivaldi.exe'
Image|endswith: '\whale.exe'
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationHostname`	eq	`l2.io` `www.ip.cn`
`DestinationHostname`	match	`api.2ip.ua` `api.bigdatacloud.net` `api.ipify.org` `bot.whatismyipaddress.com` `canireachthe.net` `checkip.amazonaws.com` `checkip.dyndns.org` `curlmyip.com` `db-ip.com` `edns.ip-api.com` `eth0.me` `freegeoip.app` `geoipy.com` `getip.pro` `icanhazip.com` `ident.me` `ifconfig.io` `ifconfig.me` `ip-api.com` `ip.360.cn` `ip.anysrc.net` `ip.taobao.com` `ip.tyk.nu` `ipaddressworld.com` `ipapi.co` `ipconfig.io` `ipecho.net` `ipinfo.io` `ipip.net` `ipof.in` `ipv4.icanhazip.com` `ipv4bot.whatismyipaddress.com` `ipv6-test.com` `ipwho.is` `jsonip.com` `myexternalip.com` `seeip.org` `wgetip.com` `whatismyip.akamai.com` `whois.pconline.com.cn` `wtfismyip.com`
`Image`	ends_with	`\WindowsApps\MicrosoftEdge.exe` corpus 12 (sigma 12) `\brave.exe` corpus 20 (sigma 20) `\maxthon.exe` corpus 13 (sigma 13) `\msedge.exe` corpus 22 (sigma 22) `\msedgewebview2.exe` corpus 15 (sigma 15) `\opera.exe` corpus 21 (sigma 21) `\safari.exe` corpus 12 (sigma 12) `\seamonkey.exe` corpus 13 (sigma 13) `\vivaldi.exe` corpus 19 (sigma 19) `\whale.exe` corpus 12 (sigma 12)
`Image`	eq	`C:\Program Files (x86)\Google\Chrome\Application\chrome.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Internet Explorer\iexplore.exe` corpus 10 (sigma 10) `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Mozilla Firefox\firefox.exe` corpus 11 (sigma 11) `C:\Program Files\Google\Chrome\Application\chrome.exe` corpus 12 (sigma 12) `C:\Program Files\Internet Explorer\iexplore.exe` corpus 11 (sigma 11) `C:\Program Files\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files\Mozilla Firefox\firefox.exe` corpus 12 (sigma 12)
`Image`	starts_with	`C:\Program Files (x86)\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files (x86)\Microsoft\EdgeWebView\Application\` corpus 10 (sigma 10) `C:\Program Files\Microsoft\EdgeCore\` corpus 11 (sigma 11)