Detectionmediumtest

Suspicious Network Connection to IP Lookup Service APIs

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)Created Mon Apr 24Updated Fri Mar 22edf3485d-dac4-4d50-90e4-b0e5813f7e60windows

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        - DestinationHostname:
              - 'www.ip.cn'
              - 'l2.io'
        - DestinationHostname|contains:
              - 'api.2ip.ua'
              - 'api.bigdatacloud.net'
              - 'api.ipify.org'
              - 'bot.whatismyipaddress.com'
              - 'canireachthe.net'
              - 'checkip.amazonaws.com'
              - 'checkip.dyndns.org'
              - 'curlmyip.com'
              - 'db-ip.com'
              - 'edns.ip-api.com'
              - 'eth0.me'
              - 'freegeoip.app'
              - 'geoipy.com'
              - 'getip.pro'
              - 'icanhazip.com'
              - 'ident.me'
              - 'ifconfig.io'
              - 'ifconfig.me'
              - 'ip-api.com'
              - 'ip.360.cn'
              - 'ip.anysrc.net'
              - 'ip.taobao.com'
              - 'ip.tyk.nu'
              - 'ipaddressworld.com'
              - 'ipapi.co'
              - 'ipconfig.io'
              - 'ipecho.net'
              - 'ipinfo.io'
              - 'ipip.net'
              - 'ipof.in'
              - 'ipv4.icanhazip.com'
              - 'ipv4bot.whatismyipaddress.com'
              - 'ipv6-test.com'
              - 'ipwho.is'
              - 'jsonip.com'
              - 'myexternalip.com'
              - 'seeip.org'
              - 'wgetip.com'
              - 'whatismyip.akamai.com'
              - 'whois.pconline.com.cn'
              - 'wtfismyip.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_optional_*