DNS Request for IP Lookup Service via Unsigned Binary

Detects when a DNS request is made for an IP lookup service to determine the external IP address of the system via an unsigned or untrusted binary. This is commonly used by malware for reconnaissance before establishing C2 connections.

Rule type: eql
Rule indices:

logs-endpoint.events.network-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		dns where host.os.type == "macos" and event.action == "lookup_result" and
  (process.code_signature.trusted == false or process.code_signature.exists == false) and
  dns.question.name like~ ("*ip-api.com*", "*ipwho.is*", "*checkip.dyndns.org*", "*api.ipify.org*",
                           "*api.npoint.io*", "*whatismyip.akamai.com*", "*bot.whatismyipaddress.com*",
                           "*ifcfg.me*", "*ifconfig.me*", "*ident.me*", "*ipof.in*", "*ip.tyk.nu*",
                           "*ipwhois.app*", "*freeipapi.com*", "*icanhazip.com*", "*curlmyip.com*",
                           "*wgetip.com*", "*eth0.me*", "*ipecho.net*", "*ip.appspot.com*",
                           "*api.myip.com*", "*geoiptool.com*", "*api.2ip.ua*", "*api.ip.sb*",
                           "*ipinfo.io*", "*checkip.amazonaws.com*", "*wtfismyip.com*", "*iplogger.*",
                           "*freegeoip.net*", "*freegeoip.app*", "*myip.ipip.net*", "*geoplugin.net*",
                           "*myip.dnsomatic.com*", "*www.geoplugin.net*", "*api64.ipify.org*",
                           "*ip4.seeip.org*", "*.geojs.io*", "*portmap.io*", "*api.db-ip.com*",
                           "*geolocation-db.com*", "*inet-ip.info*", "*httpbin.org*", "*myip.opendns.com*") and
  not process.executable like "/Users/*/Library/Developer/CoreSimulator/*"
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Network Configuration Discovery
- Id: T1016
- Reference URL: https://attack.mitre.org/techniques/T1016/
Sub Technique:
- Name: Internet Connection Discovery
- Id: T1016.001
- Reference URL: https://attack.mitre.org/techniques/T1016/001/