[Rule Tuning] Public IP Reconnaissance Activity (#1091)

* Delete discovery_post_exploitation_public_ip_reconnaissance.toml

* Updated ip lookup rule

* Modified index field

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml

@@ -1,54 +0,0 @@
-[metadata]
-creation_date = "2020/09/04"
-maturity = "production"
-updated_date = "2021/03/03"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to
-test for Internet access and acquire their public IP address after they have gained access to a system. Among others,
-this has been observed in campaigns leveraging the information stealer, Trickbot.
-"""
-false_positives = [
-    """
-    If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those
-    events. Validate that this is expected activity and tune the rule to fit your environment variables.
-    """,
-]
-index = ["packetbeat-*"]
-language = "lucene"
-license = "Elastic License v2"
-name = "Public IP Reconnaissance Activity"
-note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert."
-references = [
-    "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
-    "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
-]
-risk_score = 21
-rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
-severity = "low"
-tags = ["Elastic", "Network", "Threat Detection", "Discovery"]
-timestamp_override = "event.ingested"
-type = "query"
-
-query = '''
-event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR
-  ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR
-  wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1016"
-name = "System Network Configuration Discovery"
-reference = "https://attack.mitre.org/techniques/T1016/"
-
-
-[rule.threat.tactic]
-id = "TA0007"
-name = "Discovery"
-reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/windows/discovery_post_exploitation_external_ip_lookup.toml

@@ -0,0 +1,87 @@
+[metadata]
+creation_date = "2020/09/04"
+maturity = "production"
+updated_date = "2021/04/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to
+test for Internet access and acquire their external IP address after they have gained access to a system. Among others,
+this has been observed in campaigns leveraging the information stealer, Trickbot.
+"""
+false_positives = [
+    """
+    If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those
+    events. Validate that this is expected activity and tune the rule to fit your environment variables.
+    """,
+]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "External IP Lookup fron Non-Browser Process"
+references = [
+    "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+    "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
+]
+risk_score = 21
+rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+network where network.protocol == "dns" and
+    process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and
+    event.action == "lookup_requested" and
+    /* Add new external IP lookup services here */
+    dns.question.name :
+    (
+        "*api.ipify.org",
+        "*freegeoip.app",
+        "*checkip.amazonaws.com",
+        "*checkip.dyndns.org",
+        "*freegeoip.app",
+        "*icanhazip.com",
+        "*ifconfig.*",
+        "*ipecho.net",
+        "*ipgeoapi.com",
+        "*ipinfo.io",
+        "*ip.anysrc.net",
+        "*myexternalip.com",
+        "*myipaddress.com",
+        "*showipaddress.com",
+        "*whatismyipaddress.com",
+        "*wtfismyip.com"
+    ) and
+    /* Insert noisy false positives here */
+    not process.executable :
+    (
+      "?:\\Program Files\\*.exe",
+      "?:\\Program Files (x86)\\*.exe",
+      "?:\\Windows\\System32\\WWAHost.exe",
+      "?:\\Windows\\System32\\smartscreen.exe",
+      "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
+      "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
+      "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+      "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
+      "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
+      "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1016"
+name = "System Network Configuration Discovery"
+reference = "https://attack.mitre.org/techniques/T1016/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"