From 5ba848552a0dae5bc53255604269340ae4ee9ae0 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 30 Sep 2020 18:36:22 -0500
Subject: [PATCH] [New Rule] Post Exploitation Public IP Reconnaissance (#270)

---
 ...exploitation_public_ip_reconnaissance.toml | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml

diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml
new file mode 100644
index 000000000..bc32a8d73
--- /dev/null
+++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml
@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2020/09/04"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/09/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to
+test for Internet access and acquire their public IP address after they have gained access to a system. Among others,
+this has been observed in campaigns leveraging the information stealer, Trickbot.
+"""
+false_positives = [
+    """
+    If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those
+    events. Validate that this is expected activity and tune the rule to fit your environment variables.
+    """,
+]
+index = ["packetbeat-*"]
+language = "lucene"
+license = "Elastic License"
+name = "Public IP Reconnaissance Activity"
+note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert."
+references = [
+    "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+    "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+]
+risk_score = 21
+rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
+severity = "low"
+tags = ["Elastic", "Network", "Threat Detection, Preventing and Hunting", "Post-Execution"]
+type = "query"
+
+query = '''
+event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR
+  ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR
+  wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1016"
+name = "System Network Configuration Discovery"
+reference = "https://attack.mitre.org/techniques/T1016/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"