# ip\_lookup\_attempt

**Explanation**

The ip\_lookup\_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network.

**What to Look For**

To examine the results of the ip*lookup\_attempt NDM Event, this is often surrounded by other traffic such as C2 payload downloads, lateral spreading, or attempts to offload data. This is \_not* normal traffic to the network, and it should be investigated heavily, and treated as highly suspicious.

**Related MITRE ATT\&CK Categories**

[Reconnaissance: Gather Victim Network Information, Technique T1590 - Enterprise](https://attack.mitre.org/techniques/T1590)