Linux External IP Discovery via Curl
This brief details the detection of Linux processes utilizing `curl` to contact known public IP address lookup web services, a common post-exploitation technique employed by malware and adversaries to ascertain a host's internet-facing IP, impacting reconnaissance and command-and-control tailoring.
This threat brief focuses on a common post-exploitation tactic where adversaries leverage the curl utility on Linux systems to discover the external IP address of a compromised host. This activity is frequently observed in malware and during manual attacker reconnaissance. After gaining initial access and shell capabilities, an attacker will often query public IP lookup services (e.g., ifconfig.me, ipify.org) to understand the network context of their target. This information helps them determine if the system is behind a NAT or cloud infrastructure, verify outbound connectivity, and subsequently tailor their command-and-control (C2) communications or decide on further actions. While individual instances of this activity might be benign (e.g., administrator troubleshooting), its occurrence post-compromise is a strong indicator of malicious intent, making detection crucial for identifying adversary presence and preventing subsequent stages of an attack.
Attack Chain
- Initial Access: An attacker successfully compromises a Linux system, often gaining shell access through a vulnerability exploitation, credential compromise, or malicious payload execution.
- Execution of
curl: The attacker or malware executes thecurlcommand-line utility from a shell or script. - External IP Discovery:
curlis directed to contact a known public IP address lookup web service (e.g.,icanhazip.com,api.ipify.org). - Network Context Assessment: The returned public IP address is used by the attacker to understand the system's outbound network configuration, including whether it's behind a NAT or within cloud infrastructure.
- Decision Point: Based on the discovered IP, the attacker makes decisions regarding subsequent actions, such as configuring C2 channels, performing further reconnaissance, or exfiltrating data.
- Follow-on Activity: The attacker proceeds with activities like establishing persistent C2, deploying additional tools, or initiating lateral movement, leveraging the gathered network intelligence.
Impact
While the act of discovering an external IP address itself does not cause direct damage, its successful execution provides crucial intelligence to an adversary, significantly impacting the efficacy of subsequent attack stages. If this reconnaissance goes undetected, attackers can better adapt their tactics for command-and-control, data exfiltration, and lateral movement, potentially leading to widespread compromise, data breaches, or denial of service. The impact includes the successful continuation of the attack chain, making the system more vulnerable to deeper compromise and enabling attackers to bypass network defenses specifically tailored to internal IP schemes.
Recommendation
- Deploy the Sigma rule "Linux External IP Address Discovery via Curl" to your SIEM and tune for your environment.
- Configure endpoint telemetry to capture process creation events, including
process.nameandprocess.command_line, especially forcurlexecutions, as required by the detection rule. - Implement network egress filtering to restrict outbound
curlaccess to only explicitly approved destinations, blocking the domains listed in the IOCs where not legitimately required. - Review the
process.parent.nameandprocess.parent.executablefields in your logs to identify legitimate scripts or services that might trigger the rule and add them to the rule's filter block as appropriate. - Monitor for
curlactivity from unusual parent processes or unexpected directories (/tmp,/var/tmp,/dev/shm) as highlighted in the rule's query.
Detection coverage 1
Linux External IP Address Discovery via Curl
lowDetects Linux processes making a curl request to a known public IP address lookup web service, a common behavior in malware for external IP discovery.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
38
domain
| Type | Value |
|---|---|
| domain | ip-api.com |
| domain | checkip.dyndns.org |
| domain | api.ipify.org |
| domain | whatismyip.akamai.com |
| domain | bot.whatismyipaddress.com |
| domain | ifcfg.me |
| domain | ifconfig.me |
| domain | ident.me |
| domain | ipof.in |
| domain | ip.tyk.nu |
| domain | icanhazip.com |
| domain | curlmyip.com |
| domain | wgetip.com |
| domain | eth0.me |
| domain | ipecho.net |
| domain | ip.appspot.com |
| domain | api.myip.com |
| domain | geoiptool.com |
| domain | api.2ip.ua |
| domain | api.ip.sb |
| domain | ipinfo.io |
| domain | checkip.amazonaws.com |
| domain | wtfismyip.com |
| domain | freegeoip.net |
| domain | freegeoip.app |
| domain | geoplugin.net |
| domain | myip.dnsomatic.com |
| domain | www.geoplugin.net |
| domain | api64.ipify.org |
| domain | ip4.seeip.org |
| domain | .geojs.io |
| domain | portmap.io |
| domain | api.db-ip.com |
| domain | geolocation-db.com |
| domain | httpbin.org |
| domain | myip.opendns.com |
| domain | ipv4.icanhazip.com |
| domain | ipv6.icanhazip.com |