Linux External IP Address Discovery via Curl
Malware and threat actors on Linux systems utilize the `curl` command to query public web services for external IP address discovery, a reconnaissance technique (T1016) that can precede further C2 establishment or targeted attacks.
This brief details a common reconnaissance technique employed by malware and threat actors operating on Linux systems: the discovery of a compromised host's external IP address using the curl utility. Attackers leverage curl to send requests to various public IP lookup services (e.g., ip-api.com, ifconfig.me), which then return the external IP address of the originating request. This action is crucial for attackers to understand their network egress point, configure command and control (C2) channels, or to tailor subsequent attack phases based on the victim's geographical or network location. The detection focuses on identifying curl executions where the command line arguments contain known domain patterns for these IP lookup services. This activity, while benign in some legitimate contexts, is frequently observed as a post-exploitation step, making it a valuable indicator of potential malicious activity.
Attack Chain
- Initial Compromise: An attacker gains initial access to a Linux system through various means (e.g., exploiting a vulnerability, phishing, weak credentials).
- Establish Foothold: The attacker establishes persistence and ensures continued access to the compromised system.
- Process Execution: The attacker executes the
curlutility, often from a suspicious parent process or unusual directory. - External IP Lookup:
curlis directed to query a known public web service (e.g.,api.ipify.org,icanhazip.com) to retrieve the host's external IP address. - Information Gathering: The output of the
curlcommand, containing the external IP, is captured by the attacker. - Reconnaissance/C2 Setup: The obtained external IP address is then used by the attacker for further reconnaissance, establishing a stable command and control (C2) channel, or preparing for subsequent stages of their operation.
Impact
Successful external IP address discovery by an attacker, while not directly damaging, is a critical precursor to more impactful activities. It provides the adversary with essential network context, enabling them to bypass network segmentation, configure firewalls or routing for C2 communications, or identify targets within the same external network space. This can lead to subsequent data exfiltration, deployment of additional malware, or lateral movement within the victim's broader infrastructure, significantly increasing the risk of financial loss, data breach, or operational disruption.
Recommendation
- Deploy the provided Sigma rule "Linux External IP Address Discovery via Curl" to your SIEM/EDR to detect this specific reconnaissance technique.
- Ensure process creation logging is enabled for
curlon Linux endpoints, as required for the detection rule to function effectively. - Block connections to the listed public IP lookup domains (e.g.,
ip-api.com,api.ipify.org,icanhazip.com) at the network perimeter where appropriate to limit an attacker's ability to perform this reconnaissance. - Investigate alerts generated by the "Linux External IP Address Discovery via Curl" rule, focusing on the parent process and execution path of
curlfor signs of compromise.
Detection coverage 1
Linux External IP Address Discovery via Curl
lowDetects the execution of 'curl' on Linux systems to query known public web services for external IP address discovery, a common reconnaissance technique used by malware.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
38
domain
| Type | Value |
|---|---|
| domain | ip-api.com |
| domain | checkip.dyndns.org |
| domain | api.ipify.org |
| domain | whatismyip.akamai.com |
| domain | bot.whatismyipaddress.com |
| domain | ifcfg.me |
| domain | ifconfig.me |
| domain | ident.me |
| domain | ipof.in |
| domain | ip.tyk.nu |
| domain | icanhazip.com |
| domain | curlmyip.com |
| domain | wgetip.com |
| domain | eth0.me |
| domain | ipecho.net |
| domain | ip.appspot.com |
| domain | api.myip.com |
| domain | geoiptool.com |
| domain | api.2ip.ua |
| domain | api.ip.sb |
| domain | ipinfo.io |
| domain | checkip.amazonaws.com |
| domain | wtfismyip.com |
| domain | freegeoip.net |
| domain | freegeoip.app |
| domain | geoplugin.net |
| domain | myip.dnsomatic.com |
| domain | www.geoplugin.net |
| domain | api64.ipify.org |
| domain | ip4.seeip.org |
| domain | *.geojs.io |
| domain | portmap.io |
| domain | api.db-ip.com |
| domain | geolocation-db.com |
| domain | httpbin.org |
| domain | myip.opendns.com |
| domain | ipv4.icanhazip.com |
| domain | ipv6.icanhazip.com |