detection.wiki

Detection rules › Splunk

Windows Gather Victim Network Info Through Ip Check Web Services

Status
production
Severity
low
Group by
QueryName, QueryResults, QueryStatus, answer, answer_count, dvc, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product
Author
Teoderick Contreras, Splunk
Source
github.com/splunk/security_content

The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.

MITRE ATT&CK coverage

TacticTechniques
ReconnaissanceT1590.005 Gather Victim Network Information: IP Addresses

Event coverage

ProviderEventTitle
SysmonEvent ID 22DNSEvent (DNS query)

Rule body splunk

name: Windows Gather Victim Network Info Through Ip Check Web Services
id: 70f7c952-0758-46d6-9148-d8969c4481d1
version: 21
creation_date: '2022-06-24'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.
data_source:
    - Sysmon EventID 22
search: |-
    `sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*", "*icanhazip.*", "*ipwho.is*", "*ifconfig.me*", "*myip.com*", "*ipstack.com*", "*myexternalip.com*", "*ip-api.io*", "*trackip.net*", "*ipgeolocation.io*", "*ipfind.io*", "*freegeoip.app*", "*ipv4bot.whatismyipaddress.com*")
      | stats  min(_time) as firstTime max(_time) as lastTime count
        BY answer answer_count dvc
           process_exec process_guid process_name
           query query_count reply_code_id
           signature signature_id src
           user_id vendor_product QueryName
           QueryResults QueryStatus
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_gather_victim_network_info_through_ip_check_web_services_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.
known_false_positives: Filter internet browser application to minimize the false positive of this detection.
references:
    - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dvc
          type: system
          score: 20
          message: a network connection on known abused web services from $dvc$
threat_objects:
    - field: process_name
      type: process_name
analytic_story:
    - Azorult
    - DarkCrystal RAT
    - Phemedrone Stealer
    - Snake Keylogger
    - Handala Wiper
    - PXA Stealer
    - Meduza Stealer
    - Water Gamayun
    - Quasar RAT
    - 0bj3ctivity Stealer
    - Castle RAT
    - Void Manticore
    - BlankGrabber Stealer
    - VIP Keylogger
asset_type: Endpoint
mitre_attack_id:
    - T1590.005
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*", "*icanhazip.*", "*ipwho.is*", "*ifconfig.me*", "*myip.com*", "*ipstack.com*", "*myexternalip.com*", "*ip-api.io*", "*trackip.net*", "*ipgeolocation.io*", "*ipfind.io*", "*freegeoip.app*", "*ipv4bot.whatismyipaddress.com*")

Stage 2: stats

| stats  min(_time) as firstTime max(_time) as lastTime count
    BY answer answer_count dvc
       process_exec process_guid process_name
       query query_count reply_code_id
       signature signature_id src
       user_id vendor_product QueryName
       QueryResults QueryStatus

Stage 3: search

| `security_content_ctime(firstTime)`

Stage 4: search

| `security_content_ctime(lastTime)`

Stage 5: search

| `windows_gather_victim_network_info_through_ip_check_web_services_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 22 corpus 16 (splunk 16)
QueryNamein
  • "*api.ip.sb"
  • "*api.ipify.org"
  • "*b.barracudacentral.org"
  • "*cbl.abuseat.org"
  • "*checkip.*"
  • "*dnsbl-1.uceprotect.net"
  • "*freegeoip.app*"
  • "*geoip.*"
  • "*icanhazip.*"
  • "*icanhazip.com"
  • "*ifconfig.me*"
  • "*ip-api.com*"
  • "*ip-api.io*"
  • "*ip.anysrc.com"
  • "*ipecho.net"
  • "*ipfind.io*"
  • "*ipgeolocation.io*"
  • "*ipinfo.io"
  • "*iplogger.org*"
  • "*ipstack.com*"
  • "*ipv4bot.whatismyipaddress.com*"
  • "*ipwho.is*"
  • "*myexternalip.com*"
  • "*myip.com*"
  • "*spam.dnsbl.sorbs.net"
  • "*trackip.net*"
  • "*wtfismyip.com"
  • "*zen.spamhaus.org"
  • "ident.me"
  • "www.myexternalip.com"