| ID | Technique | Tactic |
|---|---|---|
| T1590.005 | IP Addresses | Reconnaissance |
| T1016 | System Network Configuration Discovery | Discovery |
Detection: Cisco NVM - Suspicious Network Connection to IP Lookup Service API
Description
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services,
such as ipinfo.io, icanhazip.com, ip-api.com, and others.
These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate
network reconnaissance, virtual machine detection, or staging by malware.
This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns.
The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
processes to reduce noise.
Search
1`cisco_network_visibility_module_flowdata`
2dest_hostname IN (
3 "*api.2ip.ua*", "*api.bigdatacloud.net*", "*api.ipify.org*", "*whatismyipaddress.com*",
4 "*canireachthe.net*", "*checkip.amazonaws.com*", "*checkip.dyndns.org*", "*curlmyip.com*",
5 "*db-ip.com*", "*edns.ip-api.com*", "*eth0.me*", "*freegeoip.app*", "*geoipy.com*", "*getip.pro*",
6 "*icanhazip.com*", "*ident.me*", "*ifconfig.io*", "*ifconfig.me*", "*ip-api.com*", "*ip.360.cn*",
7 "*ip.anysrc.net*", "*ip.taobao.com*", "*ip.tyk.nu*", "*ipaddressworld.com*", "*ipapi.co*",
8 "*ipconfig.io*", "*ipecho.net*", "*ipinfo.io*", "*ipip.net*", "*iplocation.net*",
9 "*ipof.in*", "*ipv6-test.com*", "*ipwho.is*", "*trackip.net*", "*inet-ip.info*",
10 "*jsonip.com*", "*myexternalip.com*", "*seeip.org*", "*wgetip.com*",
11 "*whatismyip.akamai.com*", "*whois.pconline.com.cn*", "*wtfismyip.com*", "*ip.cn"
12 )
13NOT process_name IN (
14 "brave.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "maxthon.exe",
15 "MicrosoftEdge.exe", "msedge.exe", "msedgewebview2.exe", "opera.exe", "safari.exe",
16 "seamonkey.exe", "vivaldi.exe", "whale.exe"
17 )
18
19| stats count min(_time) as firstTime max(_time) as lastTime
20 values(parent_process_arguments) as parent_process_arguments
21 values(process_arguments) as process_arguments
22 values(parent_process_hash) as parent_process_hash
23 values(process_hash) as process_hash
24 values(module_name_list) as module_name_list
25 values(module_hash_list) as module_hash_list
26 values(dest_port) as dest_port
27 values(aliul) as additional_logged_in_users_list
28 values(dest_hostname) as dest_hostname
29 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
30
31| `security_content_ctime(firstTime)`
32
33| `security_content_ctime(lastTime)`
34
35| table
36 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
37 process_integrity_level process_path process_name process_arguments process_hash process_id
38 additional_logged_in_users_list module_name_list module_hash_list
39 src dest_hostname dest dest_port transport firstTime lastTime
40
41| `cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api_filter | search * |
cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Reconnaissance
DE.AE
CIS 10
APT19
APT3
APT32
APT41
APT42
Andariel
BlackByte
Chimera
Darkhotel
Dragonfly
Earth Lusca
FIN13
GALLIUM
HAFNIUM
HEXANE
Higaisa
Ke3chang
Kimsuky
Lazarus Group
Lotus Blossom
Magic Hound
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Naikon
OilRig
Play
SideCopy
Sidewinder
Stealth Falcon
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
Volt Typhoon
Wizard Spider
ZIRCONIUM
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
Internal scripts or agents performing network checks may query IP geolocation services. Tune by excluding known tools or adding internal allowlists for destination domains or process names and commandlines.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The host $src$ made a network request to IP lookup service $dest_hostname$ using suspicious process $process_path$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1