{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-reconnaissance/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["network-reconnaissance","malware-behavior","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting malicious activity where Windows processes attempt to gather network information by querying publicly available IP check web services. This behavior is often observed during the reconnaissance phase of an attack, where malware or threat actors attempt to determine the external IP address of the compromised system. This information can then be used to tailor further attacks or for lateral movement within the network. The detection is based on identifying DNS queries to a list of known IP check services, as reported in Sysmon Event ID 22. This technique has been used by malware families such as Trickbot, Azorult, and others to profile infected systems. Defenders should monitor for these queries, especially from unusual processes or those not typically associated with network administration tasks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user unknowingly executes a malicious executable (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious executable initiates a process on the endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to resolve a domain associated with a public IP check service (e.g., \u003ccode\u003ewtfismyip.com\u003c/code\u003e, \u003ccode\u003eipinfo.io\u003c/code\u003e) using DNS.\u003c/li\u003e\n\u003cli\u003eSysmon Event ID 22 logs the DNS query, including the process name, queried domain, and query status.\u003c/li\u003e\n\u003cli\u003eThe malware receives the external IP address of the compromised system from the IP check service.\u003c/li\u003e\n\u003cli\u003eThe malware uses this IP address for further reconnaissance, such as identifying the victim's geographical location or organization.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to customize subsequent stages of the attack, such as delivering targeted payloads or exploiting vulnerabilities specific to the victim's network.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt lateral movement, data exfiltration, or other malicious activities based on the network reconnaissance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to attackers gaining a comprehensive understanding of the victim's network environment, including their external IP address and geographical location. This information can be leveraged to refine attack strategies, deliver targeted payloads, and increase the likelihood of successful lateral movement and data exfiltration. Multiple malware families, including Trickbot and Azorult, utilize this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 logging with DNS query monitoring to capture the required events for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect processes querying known IP check web services in your environment and tune for legitimate use cases.\u003c/li\u003e\n\u003cli\u003eReview the IOCs listed to identify potential historical compromises and block DNS resolution to these domains.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on unusual process names or parent processes making these queries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ip-check-recon/","summary":"Detection of Windows processes using IP check web services for reconnaissance, a behavior commonly associated with malware like Trickbot, by monitoring DNS queries.","title":"Windows Processes Gathering Network Information via IP Check Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-ip-check-recon/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Reconnaissance","version":"https://jsonfeed.org/version/1.1"}