{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/public-ip/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["discovery","command-and-control","windows","public-ip"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies instances where suspicious Windows processes use DNS queries to resolve well-known public IP address lookup services. Attackers may leverage these services to determine the external IP address of a compromised host, which is a common reconnaissance step before further malicious activity. This activity is often associated with initial access, privilege escalation, or establishing command and control channels. The processes monitored include scripting engines (powershell.exe, wscript.exe), installers (msiexec.exe), and other LOLBins (bitsadmin.exe, rundll32.exe) often abused by threat actors. The rule also flags unsigned or untrusted executables making these DNS requests. Defenders should monitor for this behavior to identify potentially compromised systems early in the attack chain. The detection logic is derived from Elastic detection rule 642ce354-4252-4d43-80c9-6603f16571c1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently executes a malicious file or script (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious code executes using a scripting engine like PowerShell or a LOLBin such as mshta.exe.\u003c/li\u003e\n\u003cli\u003eThe executing process initiates a DNS query to resolve a public IP address lookup service (e.g., api.ipify.org, icanhazip.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves successfully, providing the external IP address of the host.\u003c/li\u003e\n\u003cli\u003eThe malicious process stores the external IP address for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered external IP address to identify the target for subsequent attacks or to establish a command and control channel.\u003c/li\u003e\n\u003cli\u003eThe compromised host communicates with a C2 server, providing system information, including the external IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the C2 channel to deploy additional malware, escalate privileges, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to an attacker gaining knowledge of the target\u0026rsquo;s external IP address, enabling them to perform reconnaissance, launch targeted attacks, and potentially compromise the entire network. If an attacker gains access to the external IP they can perform scans for exposed services and devices, this can be used to gain an initial foothold in the network. There is no specific victim count available, but this type of reconnaissance is common across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Processes Querying Public IP Discovery Services\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains listed in the IOC table at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to ensure proper visibility for the detections in this brief.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DNS queries and the associated processes.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from processes that have queried public IP address services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T17:30:00Z","date_published":"2024-01-09T17:30:00Z","id":"/briefs/2024-01-public-ip-discovery/","summary":"Detection of suspicious Windows processes using DNS queries to public IP address lookup services can indicate reconnaissance activity or command and control preparation by threat actors.","title":"Suspicious Windows Processes Querying Public IP Discovery Services via DNS","url":"https://feed.craftedsignal.io/briefs/2024-01-public-ip-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Public-Ip","version":"https://jsonfeed.org/version/1.1"}