Suspicious Windows Processes Querying Public IP Discovery Services via DNS

This detection identifies instances where suspicious Windows processes use DNS queries to resolve well-known public IP address lookup services. Attackers may leverage these services to determine the external IP address of a compromised host, which is a common reconnaissance step before further malicious activity. This activity is often associated with initial access, privilege escalation, or establishing command and control channels. The processes monitored include scripting engines (powershell.exe, wscript.exe), installers (msiexec.exe), and other LOLBins (bitsadmin.exe, rundll32.exe) often abused by threat actors. The rule also flags unsigned or untrusted executables making these DNS requests. Defenders should monitor for this behavior to identify potentially compromised systems early in the attack chain. The detection logic is derived from Elastic detection rule 642ce354-4252-4d43-80c9-6603f16571c1.

Attack Chain

1. A user inadvertently executes a malicious file or script (e.g., via phishing or drive-by download).
2. The malicious code executes using a scripting engine like PowerShell or a LOLBin such as mshta.exe.
3. The executing process initiates a DNS query to resolve a public IP address lookup service (e.g., api.ipify.org, icanhazip.com).
4. The DNS query resolves successfully, providing the external IP address of the host.
5. The malicious process stores the external IP address for later use.
6. The attacker uses the discovered external IP address to identify the target for subsequent attacks or to establish a command and control channel.
7. The compromised host communicates with a C2 server, providing system information, including the external IP address.
8. The attacker leverages the C2 channel to deploy additional malware, escalate privileges, or exfiltrate data.

Impact

Successful exploitation can lead to an attacker gaining knowledge of the target’s external IP address, enabling them to perform reconnaissance, launch targeted attacks, and potentially compromise the entire network. If an attacker gains access to the external IP they can perform scans for exposed services and devices, this can be used to gain an initial foothold in the network. There is no specific victim count available, but this type of reconnaissance is common across various sectors.

Recommendation

• Deploy the Sigma rule Suspicious Processes Querying Public IP Discovery Services to your SIEM and tune for your environment.
• Block the C2 domains listed in the IOC table at the DNS resolver.
• Enable Sysmon Event ID 22 (DNS Query) logging to ensure proper visibility for the detections in this brief.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the DNS queries and the associated processes.
• Monitor for network connections originating from processes that have queried public IP address services.