diff --git a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml index 59dae9232..839a50eaf 100644 --- a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml +++ b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml @@ -8,7 +8,7 @@ references: - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Brandon George (blog post), Thomas Patzke date: 2021/07/08 -modified: 2024/02/08 +modified: 2024/03/21 tags: - attack.reconnaissance - attack.t1590 @@ -17,42 +17,51 @@ logsource: category: dns_query detection: selection: - QueryName|contains: - - 'api.2ip.ua' - - 'api.bigdatacloud.net' - - 'api.ipify.org' - - 'bot.whatismyipaddress.com' - - 'canireachthe.net' - - 'checkip.amazonaws.com' - - 'checkip.dyndns.org' - - 'curlmyip.com' - - 'db-ip.com' - - 'edns.ip-api.com' - - 'eth0.me' - - 'freegeoip.app' - - 'geoipy.com' - - 'getip.pro' - - 'icanhazip.com' - - 'ident.me' - - 'ifconfig.io' - - 'ifconfig.me' - - 'ip-api.com' - - 'ip.anysrc.net' - - 'ip.tyk.nu' - - 'ipaddressworld.com' - - 'ipapi.co' - - 'ipconfig.io' - - 'ipecho.net' - - 'ipinfo.io' - - 'ipof.in' - - 'ipv4.icanhazip.com' - - 'ipv4bot.whatismyipaddress.com' - - 'ipwho.is' - - 'l2.io' - - 'myexternalip.com' - - 'wgetip.com' - - 'whatismyip.akamai.com' - - 'wtfismyip.com' + - QueryName: + - 'ip.cn' + - 'l2.io' + - QueryName|contains: + - 'api.2ip.ua' + - 'api.bigdatacloud.net' + - 'api.ipify.org' + - 'bot.whatismyipaddress.com' + - 'canireachthe.net' + - 'checkip.amazonaws.com' + - 'checkip.dyndns.org' + - 'curlmyip.com' + - 'db-ip.com' + - 'edns.ip-api.com' + - 'eth0.me' + - 'freegeoip.app' + - 'geoipy.com' + - 'getip.pro' + - 'icanhazip.com' + - 'ident.me' + - 'ifconfig.io' + - 'ifconfig.me' + - 'ip-api.com' + - 'ip.360.cn' + - 'ip.anysrc.net' + - 'ip.taobao.com' + - 'ip.tyk.nu' + - 'ipaddressworld.com' + - 'ipapi.co' + - 'ipconfig.io' + - 'ipecho.net' + - 'ipinfo.io' + - 'ipip.net' + - 'ipof.in' + - 'ipv4.icanhazip.com' + - 'ipv4bot.whatismyipaddress.com' + - 'ipv6-test.com' + - 'ipwho.is' + - 'jsonip.com' + - 'myexternalip.com' + - 'seeip.org' + - 'wgetip.com' + - 'whatismyip.akamai.com' + - 'whois.pconline.com.cn' + - 'wtfismyip.com' filter_optional_brave: Image|endswith: '\brave.exe' filter_optional_chrome: diff --git a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml index 30cada781..097efacd8 100644 --- a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) date: 2023/04/24 -modified: 2024/02/08 +modified: 2024/03/21 tags: - attack.discovery - attack.t1016 @@ -21,42 +21,51 @@ logsource: product: windows detection: selection: - DestinationHostname|contains: - - 'api.2ip.ua' - - 'api.bigdatacloud.net' - - 'api.ipify.org' - - 'bot.whatismyipaddress.com' - - 'canireachthe.net' - - 'checkip.amazonaws.com' - - 'checkip.dyndns.org' - - 'curlmyip.com' - - 'db-ip.com' - - 'edns.ip-api.com' - - 'eth0.me' - - 'freegeoip.app' - - 'geoipy.com' - - 'getip.pro' - - 'icanhazip.com' - - 'ident.me' - - 'ifconfig.io' - - 'ifconfig.me' - - 'ip-api.com' - - 'ip.anysrc.net' - - 'ip.tyk.nu' - - 'ipaddressworld.com' - - 'ipapi.co' - - 'ipconfig.io' - - 'ipecho.net' - - 'ipinfo.io' - - 'ipof.in' - - 'ipv4.icanhazip.com' - - 'ipv4bot.whatismyipaddress.com' - - 'ipwho.is' - - 'l2.io' - - 'myexternalip.com' - - 'wgetip.com' - - 'whatismyip.akamai.com' - - 'wtfismyip.com' + - DestinationHostname: + - 'ip.cn' + - 'l2.io' + - DestinationHostname|contains: + - 'api.2ip.ua' + - 'api.bigdatacloud.net' + - 'api.ipify.org' + - 'bot.whatismyipaddress.com' + - 'canireachthe.net' + - 'checkip.amazonaws.com' + - 'checkip.dyndns.org' + - 'curlmyip.com' + - 'db-ip.com' + - 'edns.ip-api.com' + - 'eth0.me' + - 'freegeoip.app' + - 'geoipy.com' + - 'getip.pro' + - 'icanhazip.com' + - 'ident.me' + - 'ifconfig.io' + - 'ifconfig.me' + - 'ip-api.com' + - 'ip.360.cn' + - 'ip.anysrc.net' + - 'ip.taobao.com' + - 'ip.tyk.nu' + - 'ipaddressworld.com' + - 'ipapi.co' + - 'ipconfig.io' + - 'ipecho.net' + - 'ipinfo.io' + - 'ipip.net' + - 'ipof.in' + - 'ipv4.icanhazip.com' + - 'ipv4bot.whatismyipaddress.com' + - 'ipv6-test.com' + - 'ipwho.is' + - 'jsonip.com' + - 'myexternalip.com' + - 'seeip.org' + - 'wgetip.com' + - 'whatismyip.akamai.com' + - 'whois.pconline.com.cn' + - 'wtfismyip.com' filter_optional_brave: Image|endswith: '\brave.exe' filter_optional_chrome: