This hunting rule targets processes that attempt to connect to known IP-check web services by monitoring DNS queries captured in Sysmon EventCode 22 logs. It specifically tracks requests to services like "wtfismyip.com" and "ipinfo.io". These types of queries are often associated with malware such as Trickbot, which uses them for reconnaissance to identify the infected machine's external IP address. By detecting such behavior, the analytic provides insight into potential reconnaissance activities that could precede further attacks or lateral movement within an organization's network. The rule facilitates the identification of malicious activities by summarizing the occurrences of these DNS queries, which can help security teams respond proactively to emerging threats.