This detection rule is intended to identify DNS requests initiated by unsigned or untrusted binaries on macOS systems aiming to determine the external IP address using various IP lookup services. Traditionally, such behavior is observed in malicious software during reconnaissance phases prior to establishing command-and-control (C2) communication. The rule captures instances where an unsigned process attempts to resolve queries to popular services like 'api.ipify.org' or 'ipinfo.io', which are commonly utilized for identifying external connectivity. The investigative focus of the rule is on ensuring that any detected unsigned processes are analyzed for their legitimacy through examination of parent processes and their network behaviors. Moreover, the rule emphasizes the necessity of a response plan should an unsigned binary be associated with malicious activity, including isolating infected devices, quarantining suspicious executables, and vetting any unusual network behaviors following the DNS lookup.