T1016

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.

Microsoft Sentinel / Defender

kusto

let NetworkDiscoveryBinaries = dynamic([
  "ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
  "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe"
]);
let NetworkDiscoveryKeywords = dynamic([
  "ipconfig", "ifconfig", "ip addr", "ip route", "ip link",
  "arp -a", "arp -n", "netstat -r", "route print", "nbtstat",
  "netsh interface", "Get-NetIPConfiguration", "Get-NetAdapter",
  "Get-NetRoute", "Get-DnsClientServerAddress", "gwmi Win32_NetworkAdapterConfiguration",
  "Win32_NetworkAdapter", "esxcli network", "show ip route", "show ip interface",
  "networksetup", "system_profiler SPNetworkDataType"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (NetworkDiscoveryBinaries)
    or (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "python.exe", "python3.exe")
        and ProcessCommandLine has_any (NetworkDiscoveryKeywords))
  )
| extend IsNativeDiscoveryTool = FileName in~ (NetworkDiscoveryBinaries)
| extend IsScriptedDiscovery = FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe", "svchost.exe"
  )
| extend CommandArgs = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine, InitiatingProcessFileName,
    InitiatingProcessCommandLine, InitiatingProcessAccountName,
    IsNativeDiscoveryTool, IsScriptedDiscovery, SuspiciousParent
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting
IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule
Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications
Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\ipconfig.exe" OR Image="*\\arp.exe" OR Image="*\\nbtstat.exe"
   OR Image="*\\route.exe" OR Image="*\\netstat.exe" OR Image="*\\netsh.exe"
   OR Image="*\\hostname.exe" OR Image="*\\tracert.exe" OR Image="*\\pathping.exe"
   OR (Image="*\\powershell.exe" AND (CommandLine="*Get-NetIPConfiguration*" OR CommandLine="*Get-NetAdapter*"
       OR CommandLine="*Get-NetRoute*" OR CommandLine="*Win32_NetworkAdapterConfiguration*"
       OR CommandLine="*Win32_NetworkAdapter*" OR CommandLine="*Get-DnsClientServerAddress*"))
   OR (Image="*\\cmd.exe" AND (CommandLine="*ipconfig*" OR CommandLine="*arp *" OR CommandLine="*nbtstat*"
       OR CommandLine="*route print*" OR CommandLine="*netstat*")))
| eval ToolName=mvindex(split(Image, "\\"), -1)
| eval IsNativeTool=if(match(ToolName, "^(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$"), 1, 0)
| eval IsScriptedDiscovery=if(match(Image, "powershell\.exe|cmd\.exe") AND match(CommandLine, "Get-Net|Win32_Network|ipconfig|arp |nbtstat|route print|netstat"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|mshta|rundll32|regsvr32|msiexec)\.exe"), 1, 0)
| eval SuspicionScore=IsScriptedDiscovery + SuspiciousParent
| table _time, host, User, ToolName, CommandLine, ParentImage, ParentCommandLine,
        IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting
IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule
Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications
Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
                    "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
  or (
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                      "python.exe", "python3.exe")
    and process.command_line : ("*Get-NetIPConfiguration*", "*Get-NetAdapter*",
                                "*Get-NetRoute*", "*Get-DnsClientServerAddress*",
                                "*Win32_NetworkAdapterConfiguration*", "*Win32_NetworkAdapter*",
                                "*ipconfig*", "*ifconfig*", "*ip addr*", "*ip route*",
                                "*arp -a*", "*arp -n*", "*netstat -r*", "*route print*",
                                "*nbtstat*", "*netsh interface*",
                                "*esxcli network*", "*show ip route*", "*show ip interface*",
                                "*networksetup*", "*system_profiler SPNetworkDataType*")
  )
) and not (
  process.parent.name in~ ("msiexec.exe") and
  process.name == "ipconfig.exe" and
  process.command_line : "*/all*"
)
| eval IsNativeTool = process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
                                         "netstat.exe", "netsh.exe", "hostname.exe",
                                         "tracert.exe", "pathping.exe")
| eval SuspiciousParent = process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe",
                                                    "outlook.exe", "mshta.exe", "wscript.exe",
                                                    "cscript.exe", "rundll32.exe",
                                                    "regsvr32.exe", "msiexec.exe")

medium severity high confidence

Data Sources

Elastic Endpoint (endpoint.events.process) Winlogbeat with Sysmon (event.code:1) Auditbeat process module (Linux)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

IT administrators and network engineers routinely execute ipconfig, netstat, route, and arp as part of standard troubleshooting, resulting in high-volume benign hits from known admin hosts or admin user accounts.
Software installers and patch management tools (SCCM, Ansible, Puppet, Chef) frequently invoke ipconfig or netsh during deployment scripts to validate network readiness, triggering IsNativeTool matches on known management infrastructure.
Monitoring and observability agents (Datadog, SolarWinds, PRTG) run scheduled network discovery commands via cmd.exe or PowerShell to collect interface metrics, generating recurring hits from the agent service account.
Developer workstations running WSL or Docker tooling may invoke ip addr, ip route, or ifconfig via Python or shell scripts as part of container network configuration checks.
Security scanning tools (Nessus, Qualys, Rapid7) that enumerate network configuration as part of authenticated vulnerability assessments will match scripted discovery patterns from known scanner IPs.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  "Parent Command Line" AS ParentCommandLine,
  CATEGORYNAME(category) AS Category,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  hostname AS HostName,
  CASE
    WHEN "Process Name" ILIKE '%\\ipconfig.exe'
      OR "Process Name" ILIKE '%\\arp.exe'
      OR "Process Name" ILIKE '%\\nbtstat.exe'
      OR "Process Name" ILIKE '%\\route.exe'
      OR "Process Name" ILIKE '%\\netstat.exe'
      OR "Process Name" ILIKE '%\\netsh.exe'
      OR "Process Name" ILIKE '%\\hostname.exe'
      OR "Process Name" ILIKE '%\\tracert.exe'
      OR "Process Name" ILIKE '%\\pathping.exe'
    THEN 1 ELSE 0
  END AS IsNativeTool,
  CASE
    WHEN ("Process Name" ILIKE '%\\powershell.exe' OR "Process Name" ILIKE '%\\pwsh.exe'
          OR "Process Name" ILIKE '%\\cmd.exe' OR "Process Name" ILIKE '%\\wscript.exe'
          OR "Process Name" ILIKE '%\\cscript.exe')
      AND ("Command Line" ILIKE '%Get-NetIPConfiguration%'
           OR "Command Line" ILIKE '%Get-NetAdapter%'
           OR "Command Line" ILIKE '%Get-NetRoute%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
           OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
           OR "Command Line" ILIKE '%ipconfig%'
           OR "Command Line" ILIKE '%ifconfig%'
           OR "Command Line" ILIKE '%arp -%'
           OR "Command Line" ILIKE '%netstat%'
           OR "Command Line" ILIKE '%route print%'
           OR "Command Line" ILIKE '%nbtstat%'
           OR "Command Line" ILIKE '%netsh interface%'
           OR "Command Line" ILIKE '%esxcli network%')
    THEN 1 ELSE 0
  END AS IsScriptedDiscovery,
  CASE
    WHEN "Parent Process Name" ILIKE '%\\winword.exe'
      OR "Parent Process Name" ILIKE '%\\excel.exe'
      OR "Parent Process Name" ILIKE '%\\powerpnt.exe'
      OR "Parent Process Name" ILIKE '%\\outlook.exe'
      OR "Parent Process Name" ILIKE '%\\mshta.exe'
      OR "Parent Process Name" ILIKE '%\\rundll32.exe'
      OR "Parent Process Name" ILIKE '%\\regsvr32.exe'
      OR "Parent Process Name" ILIKE '%\\msiexec.exe'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE (
    "Process Name" ILIKE '%\\ipconfig.exe'
    OR "Process Name" ILIKE '%\\arp.exe'
    OR "Process Name" ILIKE '%\\nbtstat.exe'
    OR "Process Name" ILIKE '%\\route.exe'
    OR "Process Name" ILIKE '%\\netstat.exe'
    OR "Process Name" ILIKE '%\\netsh.exe'
    OR "Process Name" ILIKE '%\\hostname.exe'
    OR "Process Name" ILIKE '%\\tracert.exe'
    OR "Process Name" ILIKE '%\\pathping.exe'
    OR (
      (
        "Process Name" ILIKE '%\\powershell.exe'
        OR "Process Name" ILIKE '%\\pwsh.exe'
        OR "Process Name" ILIKE '%\\cmd.exe'
        OR "Process Name" ILIKE '%\\wscript.exe'
        OR "Process Name" ILIKE '%\\cscript.exe'
      )
      AND (
        "Command Line" ILIKE '%Get-NetIPConfiguration%'
        OR "Command Line" ILIKE '%Get-NetAdapter%'
        OR "Command Line" ILIKE '%Get-NetRoute%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
        OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
        OR "Command Line" ILIKE '%ipconfig%'
        OR "Command Line" ILIKE '%arp -%'
        OR "Command Line" ILIKE '%netstat%'
        OR "Command Line" ILIKE '%route print%'
        OR "Command Line" ILIKE '%nbtstat%'
        OR "Command Line" ILIKE '%netsh interface%'
        OR "Command Line" ILIKE '%esxcli network%'
      )
    )
  )
  AND LOGSOURCETYPEID IN (12, 215, 352)
ORDER BY starttime DESC
LAST 24 HOURS

medium severity high confidence

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) — EventID 4688 Sysmon for Windows (LOGSOURCETYPEID 215) — EventID 1 Microsoft Windows PowerShell (LOGSOURCETYPEID 352)

Required Tables

events

False Positives

Automated IT asset inventory and CMDB sync processes (e.g., ServiceNow Discovery, Microsoft SCCM hardware inventory) routinely invoke ipconfig /all, netsh, and netstat via scheduled tasks under SYSTEM or dedicated service accounts, generating high-volume benign hits on managed endpoints.
Remote support tools (TeamViewer, ConnectWise, BeyondTrust) and RMM agents frequently run network diagnostics including ipconfig, arp, and tracert as part of remote troubleshooting sessions, which will match on SuspiciousParent if spawned via their agent process.
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing network validation scripts as part of integration test suites will trigger IsScriptedDiscovery when running PowerShell Get-NetAdapter or netstat checks against local network adapters.

Sumo Logic CSE

sql

_sourceCategory=*/windows/sysmon OR _sourceCategory=*/windows/wineventlog/security OR _sourceCategory=*/windows/powershell
| where EventCode = 1 OR EventCode = 4688
| parse regex "(?i)(?:Image|New Process Name)\s*:\s*(?P<full_image_path>[^\r\n]+)" nodrop
| parse regex "(?i)(?:CommandLine|Process Command Line)\s*:\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)(?:ParentImage|Creator Process Name)\s*:\s*(?P<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)(?:User|Subject Account Name)\s*:\s*(?P<user_name>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Computer|ComputerName)\s*:\s*(?P<host_name>[^\r\n]+)" nodrop
| parse regex "(?:[/\\\\])(?P<process_name>[^/\\\\\r\n]+\.exe)$" nodrop field=full_image_path
| parse regex "(?:[/\\\\])(?P<parent_name>[^/\\\\\r\n]+\.exe)$" nodrop field=parent_image
| toLowerCase process_name
| toLowerCase parent_name
| where process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
                         "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
  OR (
    process_name in ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                     "python.exe", "python3.exe")
    AND (
      command_line matches "(?i)Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute"
      OR command_line matches "(?i)Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|Get-DnsClientServerAddress"
      OR command_line matches "(?i)ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -"
      OR command_line matches "(?i)netstat|route print|nbtstat|netsh interface|esxcli network"
      OR command_line matches "(?i)show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType"
    )
  )
| eval IsNativeTool = if(process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
                                          "netstat.exe", "netsh.exe", "hostname.exe",
                                          "tracert.exe", "pathping.exe"), 1, 0)
| eval IsScriptedDiscovery = if(process_name in ("powershell.exe", "pwsh.exe", "cmd.exe",
                                                  "wscript.exe", "cscript.exe"), 1, 0)
| eval SuspiciousParent = if(parent_name in ("winword.exe", "excel.exe", "powerpnt.exe",
                                             "outlook.exe", "mshta.exe", "wscript.exe",
                                             "cscript.exe", "rundll32.exe",
                                             "regsvr32.exe", "msiexec.exe",
                                             "svchost.exe"), 1, 0)
| eval SuspicionScore = IsScriptedDiscovery + SuspiciousParent
| fields _messageTime, host_name, user_name, process_name, command_line,
         parent_name, IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (_sourceCategory=*/windows/sysmon) Windows Security Event Log (_sourceCategory=*/windows/wineventlog/security) Windows PowerShell Event Log (_sourceCategory=*/windows/powershell)

Required Tables

_sourceCategory=*/windows/sysmon _sourceCategory=*/windows/wineventlog/security _sourceCategory=*/windows/powershell

False Positives

Endpoint management platforms (Tanium, BigFix, Ansible Tower) that execute network configuration commands on managed hosts via their agent service accounts will generate high volumes of IsNativeTool hits from known management endpoints; allowlist by user_name or parent_name for these agents.
Network performance monitoring solutions such as PRTG, SolarWinds NPM, or Dynatrace agents running on Windows hosts periodically call netstat, ipconfig, and arp as part of network topology discovery, triggering this rule on every collection cycle.
Developer workstations running local Kubernetes clusters (minikube, kind, Docker Desktop) frequently invoke ip addr, netstat, and route commands via scripting interpreters (Python, cmd.exe) to inspect virtual network adapters, creating sustained IsScriptedDiscovery matches for development users.

Google Chronicle / SecOps

yaral

rule T1016_System_Network_Configuration_Discovery {

  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1016 System Network Configuration Discovery. Matches execution of native Windows network enumeration binaries (ipconfig, arp, nbtstat, route, netstat, netsh, hostname, tracert, pathping) and scripted discovery via PowerShell, cmd, or scripting interpreters using network enumeration cmdlets or shell commands. Also detects ESXi esxcli and Linux ip/ifconfig enumeration."
    mitre_technique = "T1016"
    mitre_tactic    = "TA0007"
    severity        = "MEDIUM"
    priority        = "MEDIUM"
    yara_version    = "YL2.0"
    rule_version    = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    (
      // Native Windows network discovery tools executed directly
      re.regex($e.target.process.file.full_path,
        `(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`)

      or

      // Scripted discovery via interpreter with network enumeration keywords
      (
        re.regex($e.target.process.file.full_path,
          `(?i)\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$`)
        and
        re.regex($e.target.process.command_line,
          `(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.principal.process.file.full_path,
        `(?i)\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec|svchost)\.exe$`), 50, 0)
      +
      if(re.regex($e.target.process.file.full_path,
        `(?i)\\(powershell|pwsh|cmd|wscript|cscript)\.exe$`)
        and re.regex($e.target.process.command_line,
        `(?i)(Get-Net|Win32_Network|ipconfig|netstat|route print|arp |nbtstat)`), 30, 0)
      +
      if(re.regex($e.target.process.file.full_path,
        `(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`), 20, 0)
    )
    $hostname        = $e.principal.hostname
    $user            = $e.principal.user.userid
    $process_name    = $e.target.process.file.full_path
    $command_line    = $e.target.process.command_line
    $parent_process  = $e.principal.process.file.full_path

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM — PROCESS_LAUNCH events from Windows endpoints via Chronicle Forwarder or BindPlane Chronicle Sysmon UDM parser (event.idm.read_only_udm.metadata.product_event_type: ProcessCreate) Chronicle CrowdStrike Falcon UDM feed Chronicle Carbon Black UDM feed

Required Tables

UDM entity graph (PROCESS_LAUNCH event type)

False Positives

Automated patch management orchestration tools (SCCM, Intune, Puppet) that spawn ipconfig or netsh as child processes of msiexec.exe or svchost.exe during software deployments will score positively on SuspiciousParent due to those parent process names appearing in the risk scoring logic.
Network baseline capture scripts executed by IT operations teams using PowerShell Get-NetAdapter or Get-NetIPConfiguration to document adapter configuration before and after maintenance windows will match the scripted discovery pattern on known maintenance accounts.
Security tools performing authenticated internal network scans (Rapid7 InsightVM, Tenable Nessus agents) that run ipconfig or netstat via WMI or remote PowerShell remoting will generate PROCESS_LAUNCH events matching native tool criteria on scanned hosts.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2

// Match native network discovery binaries or interpreters running discovery commands
| ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i
  OR (
    ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$/i
    AND CommandLine = /(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)/
  )

// Compute enrichment fields
| IsNativeTool := if(
    ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i,
    "true", "false"
  )
| IsScriptedDiscovery := if(
    ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript)\.exe$/i
    AND CommandLine = /(?i)(Get-Net|Win32_Network|ipconfig|ifconfig|arp -|netstat|route print|nbtstat|netsh interface|esxcli)/,
    "true", "false"
  )
| SuspiciousParent := if(
    ParentImageFileName = /\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec)\.exe$/i,
    "true", "false"
  )
| SuspicionScore := if(IsScriptedDiscovery = "true", 1, 0) + if(SuspiciousParent = "true", 1, 0)

// Project relevant fields for analyst review
| table(
    [
      timestamp,
      ComputerName,
      UserName,
      ImageFileName,
      CommandLine,
      ParentImageFileName,
      ParentCommandLine,
      IsNativeTool,
      IsScriptedDiscovery,
      SuspiciousParent,
      SuspicionScore,
      TargetProcessId,
      ContextProcessId
    ]
  )
| sort(timestamp, order = desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Activity — ProcessRollup2 events via Falcon Data Replicator (FDR) or LogScale SIEM Connector Falcon Event Stream API (ProcessRollup2 event type)

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor self-diagnostics and internal health checks may spawn netstat or ipconfig as child processes on endpoints, generating hits with Falcon-related parent process names that do not match SuspiciousParent but still match IsNativeTool.
IT helpdesk remote support sessions initiated via Falcon Real Time Response (RTR) where analysts manually run ipconfig, arp, or netstat for live troubleshooting will appear in telemetry with RTR-related parent context; correlate with RTR session logs to suppress.
Windows Subsystem for Linux (WSL) processes executing ifconfig or ip addr as part of Linux development workflows will generate ProcessRollup2 events matching the native tool regex when the WSL interop bridge spawns Windows-side processes, particularly on developer laptops.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Network Configuration Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Discovery

Popular Detections