capture public ip

rule:
  meta:
    name: capture public ip
    namespace: collection/network
    authors:
      - "@_re_fox"
      - "still@teamt5.org"
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::System Network Configuration Discovery [T1016]
    examples:
      - 84f1b049fa8962b215a77f51af6714b3:0x100061e5
  features:
    - and:
      - api: InternetOpen
      - api: InternetOpenUrl
      - api: InternetReadFile
      - or:
        - substring: "bot.whatismyipaddress.com"
        - substring: "ipinfo.io/ip"
        - substring: "checkip.dyndns.org"
        - substring: "ifconfig.me"
        - substring: "ipecho.net/plain"
        - substring: "api.ipify.org"
        - substring: "checkip.amazonaws.com"
        - substring: "icanhazip.com"
        - substring: "wtfismyip.com/text"
        - substring: "api.myip.com"
        - substring: "ip-api.com/line"
        - substring: "ip.tool.chinaz.com"
        - substring: "1234i.com"
        - substring: "ip138.com"
        - substring: "myip.com.tw"
        - substring: "taobao.com/help/getip.php"
        - substring: "chaipip.com"
        - substring: "sojson.com/ip"