From b57fd60c9511e20a336d32a9c9b8d5cf9954c50e Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Tue, 20 Apr 2021 21:54:29 -0500
Subject: [PATCH] Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"
---
 .../discovery_post_exploitation_external_ip_lookup.toml      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
index 5bf984b6848..894a1eb8bfd 100644
--- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
+++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
@@ -54,7 +54,10 @@ network where network.protocol == "dns" and
         "*myipaddress.com",
         "*showipaddress.com",
         "*whatismyipaddress.com",
-        "*wtfismyip.com"
+        "*wtfismyip.com",
+        "*ipapi.co",
+        "*ip-lookup.net",
+        "*ipstack.com"
     ) and
     /* Insert noisy false positives here */
     not process.executable :