Which SIEM platforms have a T1016 detection rule?

df00tech provides T1016 (System Network Configuration Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Network Configuration Discovery (T1016)?

Detecting System Network Configuration Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1016 detection?

The T1016 detection is rated low severity with medium confidence.

What are common false positives for T1016?

Common false positives for T1016 include: System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting; IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule; Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications.

T1016

System Network Configuration Discovery

Discovery Last updated: April 13, 2026

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.

What is T1016 System Network Configuration Discovery?

System Network Configuration Discovery (T1016) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Network Configuration Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1016 System Network Configuration Discovery
Canonical reference: https://attack.mitre.org/techniques/T1016/

Microsoft Sentinel / Defender

kusto

let NetworkDiscoveryBinaries = dynamic([
  "ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
  "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe"
]);
let NetworkDiscoveryKeywords = dynamic([
  "ipconfig", "ifconfig", "ip addr", "ip route", "ip link",
  "arp -a", "arp -n", "netstat -r", "route print", "nbtstat",
  "netsh interface", "Get-NetIPConfiguration", "Get-NetAdapter",
  "Get-NetRoute", "Get-DnsClientServerAddress", "gwmi Win32_NetworkAdapterConfiguration",
  "Win32_NetworkAdapter", "esxcli network", "show ip route", "show ip interface",
  "networksetup", "system_profiler SPNetworkDataType"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (NetworkDiscoveryBinaries)
    or (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "python.exe", "python3.exe")
        and ProcessCommandLine has_any (NetworkDiscoveryKeywords))
  )
| extend IsNativeDiscoveryTool = FileName in~ (NetworkDiscoveryBinaries)
| extend IsScriptedDiscovery = FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe", "svchost.exe"
  )
| extend CommandArgs = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine, InitiatingProcessFileName,
    InitiatingProcessCommandLine, InitiatingProcessAccountName,
    IsNativeDiscoveryTool, IsScriptedDiscovery, SuspiciousParent
| sort by Timestamp desc

Detects system network configuration discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors execution of native network enumeration utilities (ipconfig.exe, arp.exe, nbtstat.exe, route.exe, netstat.exe, netsh.exe) as well as scripted equivalents via PowerShell WMI queries (Win32_NetworkAdapterConfiguration, Get-NetIPConfiguration, Get-NetAdapter). Flags executions originating from Office applications, script interpreters, or other suspicious parent processes that indicate post-exploitation discovery rather than administrative activity.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting
IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule
Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications
Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\ipconfig.exe" OR Image="*\\arp.exe" OR Image="*\\nbtstat.exe"
   OR Image="*\\route.exe" OR Image="*\\netstat.exe" OR Image="*\\netsh.exe"
   OR Image="*\\hostname.exe" OR Image="*\\tracert.exe" OR Image="*\\pathping.exe"
   OR (Image="*\\powershell.exe" AND (CommandLine="*Get-NetIPConfiguration*" OR CommandLine="*Get-NetAdapter*"
       OR CommandLine="*Get-NetRoute*" OR CommandLine="*Win32_NetworkAdapterConfiguration*"
       OR CommandLine="*Win32_NetworkAdapter*" OR CommandLine="*Get-DnsClientServerAddress*"))
   OR (Image="*\\cmd.exe" AND (CommandLine="*ipconfig*" OR CommandLine="*arp *" OR CommandLine="*nbtstat*"
       OR CommandLine="*route print*" OR CommandLine="*netstat*")))
| eval ToolName=mvindex(split(Image, "\\"), -1)
| eval IsNativeTool=if(match(ToolName, "^(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$"), 1, 0)
| eval IsScriptedDiscovery=if(match(Image, "powershell\.exe|cmd\.exe") AND match(CommandLine, "Get-Net|Win32_Network|ipconfig|arp |nbtstat|route print|netstat"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|mshta|rundll32|regsvr32|msiexec)\.exe"), 1, 0)
| eval SuspicionScore=IsScriptedDiscovery + SuspiciousParent
| table _time, host, User, ToolName, CommandLine, ParentImage, ParentCommandLine,
        IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort - _time

Detects network configuration discovery using Sysmon Event ID 1 (Process Creation). Monitors native Windows network utilities (ipconfig, arp, nbtstat, route, netstat, netsh, hostname) and scripted equivalents via PowerShell WMI queries and Get-Net* cmdlets. Assigns a suspicion score based on whether discovery is scripted (higher risk) and whether the parent process is a suspicious application such as an Office application or LOLBin.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting
IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule
Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications
Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
                    "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
  or (
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                      "python.exe", "python3.exe")
    and process.command_line : ("*Get-NetIPConfiguration*", "*Get-NetAdapter*",
                                "*Get-NetRoute*", "*Get-DnsClientServerAddress*",
                                "*Win32_NetworkAdapterConfiguration*", "*Win32_NetworkAdapter*",
                                "*ipconfig*", "*ifconfig*", "*ip addr*", "*ip route*",
                                "*arp -a*", "*arp -n*", "*netstat -r*", "*route print*",
                                "*nbtstat*", "*netsh interface*",
                                "*esxcli network*", "*show ip route*", "*show ip interface*",
                                "*networksetup*", "*system_profiler SPNetworkDataType*")
  )
) and not (
  process.parent.name in~ ("msiexec.exe") and
  process.name == "ipconfig.exe" and
  process.command_line : "*/all*"
)
| eval IsNativeTool = process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
                                         "netstat.exe", "netsh.exe", "hostname.exe",
                                         "tracert.exe", "pathping.exe")
| eval SuspiciousParent = process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe",
                                                    "outlook.exe", "mshta.exe", "wscript.exe",
                                                    "cscript.exe", "rundll32.exe",
                                                    "regsvr32.exe", "msiexec.exe")

Detects T1016 System Network Configuration Discovery using Elastic EQL against Elastic Common Schema (ECS) process events. Matches execution of native Windows network enumeration binaries (ipconfig, arp, nbtstat, netstat, route, netsh, hostname, tracert, pathping) and scripted discovery via PowerShell cmdlets (Get-NetIPConfiguration, Get-NetAdapter, Get-NetRoute, Win32_NetworkAdapterConfiguration) or shell commands. Flags suspicious parent processes indicative of malware-initiated discovery (Office apps, mshta, rundll32, regsvr32).

medium severity high confidence

Data Sources

Elastic Endpoint (endpoint.events.process) Winlogbeat with Sysmon (event.code:1) Auditbeat process module (Linux)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

IT administrators and network engineers routinely execute ipconfig, netstat, route, and arp as part of standard troubleshooting, resulting in high-volume benign hits from known admin hosts or admin user accounts.
Software installers and patch management tools (SCCM, Ansible, Puppet, Chef) frequently invoke ipconfig or netsh during deployment scripts to validate network readiness, triggering IsNativeTool matches on known management infrastructure.
Monitoring and observability agents (Datadog, SolarWinds, PRTG) run scheduled network discovery commands via cmd.exe or PowerShell to collect interface metrics, generating recurring hits from the agent service account.
Developer workstations running WSL or Docker tooling may invoke ip addr, ip route, or ifconfig via Python or shell scripts as part of container network configuration checks.
Security scanning tools (Nessus, Qualys, Rapid7) that enumerate network configuration as part of authenticated vulnerability assessments will match scripted discovery patterns from known scanner IPs.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  "Parent Command Line" AS ParentCommandLine,
  CATEGORYNAME(category) AS Category,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  hostname AS HostName,
  CASE
    WHEN "Process Name" ILIKE '%\\ipconfig.exe'
      OR "Process Name" ILIKE '%\\arp.exe'
      OR "Process Name" ILIKE '%\\nbtstat.exe'
      OR "Process Name" ILIKE '%\\route.exe'
      OR "Process Name" ILIKE '%\\netstat.exe'
      OR "Process Name" ILIKE '%\\netsh.exe'
      OR "Process Name" ILIKE '%\\hostname.exe'
      OR "Process Name" ILIKE '%\\tracert.exe'
      OR "Process Name" ILIKE '%\\pathping.exe'
    THEN 1 ELSE 0
  END AS IsNativeTool,
  CASE
    WHEN ("Process Name" ILIKE '%\\powershell.exe' OR "Process Name" ILIKE '%\\pwsh.exe'
          OR "Process Name" ILIKE '%\\cmd.exe' OR "Process Name" ILIKE '%\\wscript.exe'
          OR "Process Name" ILIKE '%\\cscript.exe')
      AND ("Command Line" ILIKE '%Get-NetIPConfiguration%'
           OR "Command Line" ILIKE '%Get-NetAdapter%'
           OR "Command Line" ILIKE '%Get-NetRoute%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
           OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
           OR "Command Line" ILIKE '%ipconfig%'
           OR "Command Line" ILIKE '%ifconfig%'
           OR "Command Line" ILIKE '%arp -%'
           OR "Command Line" ILIKE '%netstat%'
           OR "Command Line" ILIKE '%route print%'
           OR "Command Line" ILIKE '%nbtstat%'
           OR "Command Line" ILIKE '%netsh interface%'
           OR "Command Line" ILIKE '%esxcli network%')
    THEN 1 ELSE 0
  END AS IsScriptedDiscovery,
  CASE
    WHEN "Parent Process Name" ILIKE '%\\winword.exe'
      OR "Parent Process Name" ILIKE '%\\excel.exe'
      OR "Parent Process Name" ILIKE '%\\powerpnt.exe'
      OR "Parent Process Name" ILIKE '%\\outlook.exe'
      OR "Parent Process Name" ILIKE '%\\mshta.exe'
      OR "Parent Process Name" ILIKE '%\\rundll32.exe'
      OR "Parent Process Name" ILIKE '%\\regsvr32.exe'
      OR "Parent Process Name" ILIKE '%\\msiexec.exe'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE (
    "Process Name" ILIKE '%\\ipconfig.exe'
    OR "Process Name" ILIKE '%\\arp.exe'
    OR "Process Name" ILIKE '%\\nbtstat.exe'
    OR "Process Name" ILIKE '%\\route.exe'
    OR "Process Name" ILIKE '%\\netstat.exe'
    OR "Process Name" ILIKE '%\\netsh.exe'
    OR "Process Name" ILIKE '%\\hostname.exe'
    OR "Process Name" ILIKE '%\\tracert.exe'
    OR "Process Name" ILIKE '%\\pathping.exe'
    OR (
      (
        "Process Name" ILIKE '%\\powershell.exe'
        OR "Process Name" ILIKE '%\\pwsh.exe'
        OR "Process Name" ILIKE '%\\cmd.exe'
        OR "Process Name" ILIKE '%\\wscript.exe'
        OR "Process Name" ILIKE '%\\cscript.exe'
      )
      AND (
        "Command Line" ILIKE '%Get-NetIPConfiguration%'
        OR "Command Line" ILIKE '%Get-NetAdapter%'
        OR "Command Line" ILIKE '%Get-NetRoute%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
        OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
        OR "Command Line" ILIKE '%ipconfig%'
        OR "Command Line" ILIKE '%arp -%'
        OR "Command Line" ILIKE '%netstat%'
        OR "Command Line" ILIKE '%route print%'
        OR "Command Line" ILIKE '%nbtstat%'
        OR "Command Line" ILIKE '%netsh interface%'
        OR "Command Line" ILIKE '%esxcli network%'
      )
    )
  )
  AND LOGSOURCETYPEID IN (12, 215, 352)
ORDER BY starttime DESC
LAST 24 HOURS

Detects T1016 System Network Configuration Discovery via QRadar AQL querying Windows Sysmon (EventCode 1) and Windows Security (EventCode 4688) log sources. Matches native network enumeration executables and scripted discovery via PowerShell or cmd.exe. Computes enrichment fields IsNativeTool, IsScriptedDiscovery, and SuspiciousParent to enable analyst triage. LOGSOURCETYPEID 12 covers Microsoft Windows Security Event Log, 215 covers Sysmon for Windows, 352 covers Microsoft Windows PowerShell.

medium severity high confidence

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) — EventID 4688 Sysmon for Windows (LOGSOURCETYPEID 215) — EventID 1 Microsoft Windows PowerShell (LOGSOURCETYPEID 352)

Required Tables

events

False Positives

Automated IT asset inventory and CMDB sync processes (e.g., ServiceNow Discovery, Microsoft SCCM hardware inventory) routinely invoke ipconfig /all, netsh, and netstat via scheduled tasks under SYSTEM or dedicated service accounts, generating high-volume benign hits on managed endpoints.
Remote support tools (TeamViewer, ConnectWise, BeyondTrust) and RMM agents frequently run network diagnostics including ipconfig, arp, and tracert as part of remote troubleshooting sessions, which will match on SuspiciousParent if spawned via their agent process.
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing network validation scripts as part of integration test suites will trigger IsScriptedDiscovery when running PowerShell Get-NetAdapter or netstat checks against local network adapters.

Sumo Logic CSE

sql

_sourceCategory=*/windows/sysmon OR _sourceCategory=*/windows/wineventlog/security OR _sourceCategory=*/windows/powershell
| where EventCode = 1 OR EventCode = 4688
| parse regex "(?i)(?:Image|New Process Name)\s*:\s*(?P<full_image_path>[^\r\n]+)" nodrop
| parse regex "(?i)(?:CommandLine|Process Command Line)\s*:\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)(?:ParentImage|Creator Process Name)\s*:\s*(?P<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)(?:User|Subject Account Name)\s*:\s*(?P<user_name>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Computer|ComputerName)\s*:\s*(?P<host_name>[^\r\n]+)" nodrop
| parse regex "(?:[/\\\\])(?P<process_name>[^/\\\\\r\n]+\.exe)$" nodrop field=full_image_path
| parse regex "(?:[/\\\\])(?P<parent_name>[^/\\\\\r\n]+\.exe)$" nodrop field=parent_image
| toLowerCase process_name
| toLowerCase parent_name
| where process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
                         "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
  OR (
    process_name in ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                     "python.exe", "python3.exe")
    AND (
      command_line matches "(?i)Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute"
      OR command_line matches "(?i)Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|Get-DnsClientServerAddress"
      OR command_line matches "(?i)ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -"
      OR command_line matches "(?i)netstat|route print|nbtstat|netsh interface|esxcli network"
      OR command_line matches "(?i)show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType"
    )
  )
| eval IsNativeTool = if(process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
                                          "netstat.exe", "netsh.exe", "hostname.exe",
                                          "tracert.exe", "pathping.exe"), 1, 0)
| eval IsScriptedDiscovery = if(process_name in ("powershell.exe", "pwsh.exe", "cmd.exe",
                                                  "wscript.exe", "cscript.exe"), 1, 0)
| eval SuspiciousParent = if(parent_name in ("winword.exe", "excel.exe", "powerpnt.exe",
                                             "outlook.exe", "mshta.exe", "wscript.exe",
                                             "cscript.exe", "rundll32.exe",
                                             "regsvr32.exe", "msiexec.exe",
                                             "svchost.exe"), 1, 0)
| eval SuspicionScore = IsScriptedDiscovery + SuspiciousParent
| fields _messageTime, host_name, user_name, process_name, command_line,
         parent_name, IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort by _messageTime desc

Detects T1016 System Network Configuration Discovery in Sumo Logic by parsing Sysmon EventCode 1 and Security EventCode 4688 process creation events across Windows endpoints. Extracts process name, command line, and parent process using regex parsing, then classifies each event as IsNativeTool (direct binary execution), IsScriptedDiscovery (interpreter-mediated), or SuspiciousParent (high-risk parent process). Computes a composite SuspicionScore for analyst prioritization.

medium severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (_sourceCategory=*/windows/sysmon) Windows Security Event Log (_sourceCategory=*/windows/wineventlog/security) Windows PowerShell Event Log (_sourceCategory=*/windows/powershell)

Required Tables

_sourceCategory=*/windows/sysmon _sourceCategory=*/windows/wineventlog/security _sourceCategory=*/windows/powershell

False Positives

Endpoint management platforms (Tanium, BigFix, Ansible Tower) that execute network configuration commands on managed hosts via their agent service accounts will generate high volumes of IsNativeTool hits from known management endpoints; allowlist by user_name or parent_name for these agents.
Network performance monitoring solutions such as PRTG, SolarWinds NPM, or Dynatrace agents running on Windows hosts periodically call netstat, ipconfig, and arp as part of network topology discovery, triggering this rule on every collection cycle.
Developer workstations running local Kubernetes clusters (minikube, kind, Docker Desktop) frequently invoke ip addr, netstat, and route commands via scripting interpreters (Python, cmd.exe) to inspect virtual network adapters, creating sustained IsScriptedDiscovery matches for development users.

Google Chronicle / SecOps

yaral

rule T1016_System_Network_Configuration_Discovery {

  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1016 System Network Configuration Discovery. Matches execution of native Windows network enumeration binaries (ipconfig, arp, nbtstat, route, netstat, netsh, hostname, tracert, pathping) and scripted discovery via PowerShell, cmd, or scripting interpreters using network enumeration cmdlets or shell commands. Also detects ESXi esxcli and Linux ip/ifconfig enumeration."
    mitre_technique = "T1016"
    mitre_tactic    = "TA0007"
    severity        = "MEDIUM"
    priority        = "MEDIUM"
    yara_version    = "YL2.0"
    rule_version    = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    (
      // Native Windows network discovery tools executed directly
      re.regex($e.target.process.file.full_path,
        `(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`)

      or

      // Scripted discovery via interpreter with network enumeration keywords
      (
        re.regex($e.target.process.file.full_path,
          `(?i)\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$`)
        and
        re.regex($e.target.process.command_line,
          `(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.principal.process.file.full_path,
        `(?i)\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec|svchost)\.exe$`), 50, 0)
      +
      if(re.regex($e.target.process.file.full_path,
        `(?i)\\(powershell|pwsh|cmd|wscript|cscript)\.exe$`)
        and re.regex($e.target.process.command_line,
        `(?i)(Get-Net|Win32_Network|ipconfig|netstat|route print|arp |nbtstat)`), 30, 0)
      +
      if(re.regex($e.target.process.file.full_path,
        `(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`), 20, 0)
    )
    $hostname        = $e.principal.hostname
    $user            = $e.principal.user.userid
    $process_name    = $e.target.process.file.full_path
    $command_line    = $e.target.process.command_line
    $parent_process  = $e.principal.process.file.full_path

  condition:
    $e
}

YARA-L 2.0 rule for Google Chronicle UDM detecting T1016 System Network Configuration Discovery. Matches PROCESS_LAUNCH events where the target process is a native Windows network enumeration binary or a scripting interpreter running network discovery commands. Outcome scoring weights suspicious parent processes (+50), scripted enumeration patterns (+30), and native tool execution (+20) for risk-based prioritization. Groups events by hostname over a 5-minute window to support correlation.

medium severity high confidence

Data Sources

Google Chronicle UDM — PROCESS_LAUNCH events from Windows endpoints via Chronicle Forwarder or BindPlane Chronicle Sysmon UDM parser (event.idm.read_only_udm.metadata.product_event_type: ProcessCreate) Chronicle CrowdStrike Falcon UDM feed Chronicle Carbon Black UDM feed

Required Tables

UDM entity graph (PROCESS_LAUNCH event type)

False Positives

Automated patch management orchestration tools (SCCM, Intune, Puppet) that spawn ipconfig or netsh as child processes of msiexec.exe or svchost.exe during software deployments will score positively on SuspiciousParent due to those parent process names appearing in the risk scoring logic.
Network baseline capture scripts executed by IT operations teams using PowerShell Get-NetAdapter or Get-NetIPConfiguration to document adapter configuration before and after maintenance windows will match the scripted discovery pattern on known maintenance accounts.
Security tools performing authenticated internal network scans (Rapid7 InsightVM, Tenable Nessus agents) that run ipconfig or netstat via WMI or remote PowerShell remoting will generate PROCESS_LAUNCH events matching native tool criteria on scanned hosts.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2

// Match native network discovery binaries or interpreters running discovery commands
| ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i
  OR (
    ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$/i
    AND CommandLine = /(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)/
  )

// Compute enrichment fields
| IsNativeTool := if(
    ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i,
    "true", "false"
  )
| IsScriptedDiscovery := if(
    ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript)\.exe$/i
    AND CommandLine = /(?i)(Get-Net|Win32_Network|ipconfig|ifconfig|arp -|netstat|route print|nbtstat|netsh interface|esxcli)/,
    "true", "false"
  )
| SuspiciousParent := if(
    ParentImageFileName = /\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec)\.exe$/i,
    "true", "false"
  )
| SuspicionScore := if(IsScriptedDiscovery = "true", 1, 0) + if(SuspiciousParent = "true", 1, 0)

// Project relevant fields for analyst review
| table(
    [
      timestamp,
      ComputerName,
      UserName,
      ImageFileName,
      CommandLine,
      ParentImageFileName,
      ParentCommandLine,
      IsNativeTool,
      IsScriptedDiscovery,
      SuspiciousParent,
      SuspicionScore,
      TargetProcessId,
      ContextProcessId
    ]
  )
| sort(timestamp, order = desc)

Detects T1016 System Network Configuration Discovery using CrowdStrike LogScale (CQL) against Falcon ProcessRollup2 telemetry. Matches execution of native Windows network enumeration binaries and scripting interpreters running network discovery commands via regex on ImageFileName and CommandLine fields. Computes IsNativeTool, IsScriptedDiscovery, SuspiciousParent, and SuspicionScore enrichment fields for analyst prioritization. Designed for the Falcon SIEM Connector or LogScale direct ingestion of Falcon event stream data.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Activity — ProcessRollup2 events via Falcon Data Replicator (FDR) or LogScale SIEM Connector Falcon Event Stream API (ProcessRollup2 event type)

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor self-diagnostics and internal health checks may spawn netstat or ipconfig as child processes on endpoints, generating hits with Falcon-related parent process names that do not match SuspiciousParent but still match IsNativeTool.
IT helpdesk remote support sessions initiated via Falcon Real Time Response (RTR) where analysts manually run ipconfig, arp, or netstat for live troubleshooting will appear in telemetry with RTR-related parent context; correlate with RTR session logs to suppress.
Windows Subsystem for Linux (WSL) processes executing ifconfig or ip addr as part of Linux development workflows will generate ProcessRollup2 events matching the native tool regex when the WSL interop bridge spawns Windows-side processes, particularly on developer laptops.

Sigma rule & cross-platform mapping

The detection logic for System Network Configuration Discovery (T1016) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1016 Sigma rules on detection.fyi

Platform-specific guides for T1016

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (11)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Windows Network Configuration Enumeration via ipconfig
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.
Test 2ARP Table and Routing Table Bulk Enumeration
Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.
Test 3PowerShell WMI Network Adapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.
Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.
Test 5Linux Network Configuration Discovery via ip and arp
Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Network Configuration Discovery

What is T1016 System Network Configuration Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1016

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1016 System Network Configuration Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1016

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox