security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/dns_query/dns_query_win_susp_ipify.yml
T
Nasreddine Bencherchali 20b0a6bad8 Rule Dev
2022-11-18 11:15:28 +01:00

55 lines
1.8 KiB
YAML
Raw Blame History

title: Suspicious DNS Query for IP Lookup Service APIs
id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
status: test
description: Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.
references:
- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
- https://twitter.com/neonprimetime/status/1436376497980428318
author: Brandon George (blog post), Thomas Patzke (rule)
date: 2021/07/08
modified: 2022/11/18
tags:
- attack.reconnaissance
- attack.t1590
logsource:
product: windows
category: dns_query
detection:
dns_request:
QueryName:
- 'canireachthe.net'
- 'ipv4.icanhazip.com'
- 'ip.anysrc.net'
- 'edns.ip-api.com'
- 'wtfismyip.com'
- 'checkip.dyndns.org'
- 'api.2ip.ua'
- 'icanhazip.com'
- 'api.ipify.org'
- 'ip-api.com'
- 'checkip.amazonaws.com'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipv4bot.whatismyipaddress.com'
- 'freegeoip.app'
- 'ifconfig.me'
- 'ipwho.is'
filter_browser:
Image|endswith:
# Add missing browsers you use and exclude the ones you don't
- '\Google\Chrome\Application\chrome.exe'
- '\iexplore.exe'
- '\firefox.exe'
- '\brave.exe'
- '\opera.exe'
- '\msedge.exe'
- '\vivaldi.exe'
- '\chromium.exe'
- '\microsoftedge.exe'
- '\iexplorer.exe'
- '\CCleaner Browser\Application\CCleanerBrowser.exe'
condition: dns_request and not filter_browser
falsepositives:
- Legitimate usage of ip lookup services such as ipify API
level: medium
Reference in New Issue View Git Blame Copy Permalink