T1016.001

Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

Microsoft Sentinel / Defender

kusto

let KnownConnectivityTargets = dynamic([
  "8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1",
  "bing.com", "google.com", "microsoft.com", "ifconfig.me",
  "ipinfo.io", "icanhazip.com", "checkip.amazonaws.com",
  "whatismyip.com", "ipecho.net", "myexternalip.com",
  "wtfismyip.com", "api.ipify.org", "ip-api.com",
  "ifconfig.co", "ipv4.icanhazip.com"
]);
let PingTracertCommands = dynamic([
  "ping", "tracert", "traceroute", "pathping", "nslookup",
  "Test-NetConnection", "Test-Connection", "Invoke-WebRequest",
  "curl", "wget", "bitsadmin"
]);
// Detection 1: Process-based — ping/tracert/curl to connectivity check targets
let ProcessBased = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ping.exe", "tracert.exe", "traceroute", "pathping.exe", "nslookup.exe", "curl.exe", "wget.exe", "bitsadmin.exe", "powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any (KnownConnectivityTargets)
      or ProcessCommandLine has_any ("ifconfig.me", "ipinfo.io", "icanhazip", "wtfismyip", "api.ipify", "ip-api.com", "ifconfig.co", "checkip.amazonaws")
| extend DetectionType = "ProcessCommandLine"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId, ProcessId, DetectionType;
// Detection 2: Network-based — direct HTTP/DNS connections to connectivity-check services
let NetworkBased = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (KnownConnectivityTargets)
      or RemoteUrl has_any ("ifconfig.me", "ipinfo.io", "icanhazip", "wtfismyip", "api.ipify", "ip-api.com", "ifconfig.co", "checkip.amazonaws")
      or RemoteIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe")
| extend DetectionType = "NetworkConnection"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          RemoteIP, RemoteUrl, RemotePort, DetectionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId;
union ProcessBased, NetworkBased
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT administrators or network engineers running ping/tracert diagnostics for legitimate troubleshooting
Monitoring and observability agents (Datadog, New Relic, SolarWinds) that periodically check internet reachability
Automated health check scripts in CI/CD pipelines or deployment automation that verify outbound connectivity before deploying updates
Operating system components and update services (Windows Update, Microsoft Defender signature updates) that contact Microsoft infrastructure
Network diagnostic tools used by help desk staff confirming connectivity for remote users

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 (Image="*\\ping.exe" OR Image="*\\tracert.exe" OR Image="*\\pathping.exe" OR Image="*\\nslookup.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"))
  OR
  (EventCode=4688 (NewProcessName="*\\ping.exe" OR NewProcessName="*\\tracert.exe" OR NewProcessName="*\\pathping.exe" OR NewProcessName="*\\nslookup.exe" OR NewProcessName="*\\curl.exe" OR NewProcessName="*\\bitsadmin.exe" OR NewProcessName="*\\powershell.exe"))
  OR
  (EventCode=3)
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval TargetHost=coalesce(DestinationHostname, QueryName, CommandLine)
| eval cmd_lower=lower(coalesce(CommandLine, ""))
| eval dns_or_dest=lower(coalesce(DestinationHostname, ""))
| eval IsConnectivityTarget=if(
    match(cmd_lower, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)")
    OR match(dns_or_dest, "(ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)"),
    1, 0)
| eval IsPingOrTrace=if(match(cmd_lower, "(ping|tracert|traceroute|pathping|nslookup|test-netconnection|test-connection)"), 1, 0)
| eval IsPublicDNSTarget=if(match(cmd_lower, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)"), 1, 0)
| eval IsIPLookupService=if(match(cmd_lower, "(ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net|ifconfig\.co)"), 1, 0)
| eval SuspicionScore=IsConnectivityTarget + IsPingOrTrace + IsPublicDNSTarget + IsIPLookupService
| where SuspicionScore > 0
| eval ProcessName=coalesce(Image, NewProcessName)
| eval User=coalesce(User, SubjectUserName)
| where NOT match(ProcessName, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)")
| table _time, host, User, ProcessName, cmd_lower, ParentImage, DestinationHostname, DestinationIp, DestinationPort, IsPingOrTrace, IsPublicDNSTarget, IsIPLookupService, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 3 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators or network engineers running ping/tracert diagnostics for legitimate troubleshooting
Monitoring and observability agents (Datadog, New Relic, SolarWinds) that periodically check internet reachability
Automated health check scripts in CI/CD pipelines or deployment automation that verify outbound connectivity before deploying updates
Operating system components and update services (Windows Update, Microsoft Defender signature updates) that contact Microsoft infrastructure
Network diagnostic tools used by help desk staff confirming connectivity for remote users

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("ping.exe", "tracert.exe", "pathping.exe", "nslookup.exe", "curl.exe", "wget.exe", "bitsadmin.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and
    process.command_line like~ (
      "*8.8.8.8*", "*8.8.4.4*", "*1.1.1.1*", "*1.0.0.1*",
      "*bing.com*", "*google.com*", "*ifconfig.me*", "*ipinfo.io*",
      "*icanhazip*", "*wtfismyip*", "*api.ipify*", "*ip-api.com*",
      "*ifconfig.co*", "*checkip.amazonaws*", "*myexternalip*",
      "*whatismyip*", "*ipecho.net*"
    )
  ) or
  (
    event.category == "network" and
    event.type in ("connection", "start") and
    (
      destination.domain in~ (
        "ifconfig.me", "ipinfo.io", "icanhazip.com", "wtfismyip.com",
        "api.ipify.org", "ip-api.com", "ifconfig.co",
        "checkip.amazonaws.com", "myexternalip.com",
        "whatismyip.com", "ipecho.net"
      ) or
      destination.ip in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
    ) and
    process.name not in~ (
      "chrome.exe", "firefox.exe", "msedge.exe",
      "iexplore.exe", "opera.exe", "brave.exe"
    )
  )

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon module Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Network administrators running legitimate connectivity diagnostics using ping or tracert to Google public DNS (8.8.8.8) for troubleshooting link-layer or routing issues
Automated IT monitoring or RMM agents (e.g., ConnectWise Automate, Kaseya VSA) that periodically check internet reachability by curling ifconfig.me or similar services on a schedule
Developer workstations running CI/CD pipelines, build scripts, or container entrypoints that invoke curl to connectivity-check services to determine public egress IP before configuring firewall rules

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Image" AS parent_process,
  destinationip AS dest_ip,
  destinationhostname AS dest_hostname,
  CATEGORYNAME(category) AS category_name,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(devicetype) AS log_source_type
FROM events
WHERE
  (
    LOWER("Command") ILIKE '%8.8.8.8%'
    OR LOWER("Command") ILIKE '%8.8.4.4%'
    OR LOWER("Command") ILIKE '%1.1.1.1%'
    OR LOWER("Command") ILIKE '%1.0.0.1%'
    OR LOWER("Command") ILIKE '%ifconfig.me%'
    OR LOWER("Command") ILIKE '%ipinfo.io%'
    OR LOWER("Command") ILIKE '%icanhazip%'
    OR LOWER("Command") ILIKE '%wtfismyip%'
    OR LOWER("Command") ILIKE '%api.ipify%'
    OR LOWER("Command") ILIKE '%ip-api.com%'
    OR LOWER("Command") ILIKE '%ifconfig.co%'
    OR LOWER("Command") ILIKE '%checkip.amazonaws%'
    OR LOWER("Command") ILIKE '%myexternalip%'
    OR LOWER("Command") ILIKE '%whatismyip%'
    OR LOWER("Command") ILIKE '%ipecho.net%'
    OR LOWER("Command") ILIKE '%bing.com%'
    OR LOWER("Command") ILIKE '%google.com%'
    OR LOWER(destinationhostname) ILIKE '%ifconfig.me%'
    OR LOWER(destinationhostname) ILIKE '%ipinfo.io%'
    OR LOWER(destinationhostname) ILIKE '%icanhazip%'
    OR LOWER(destinationhostname) ILIKE '%wtfismyip%'
    OR LOWER(destinationhostname) ILIKE '%api.ipify%'
    OR LOWER(destinationhostname) ILIKE '%ip-api.com%'
    OR LOWER(destinationhostname) ILIKE '%checkip.amazonaws%'
    OR destinationip IN ('8.8.8.8', '8.8.4.4', '1.1.1.1', '1.0.0.1')
  )
  AND
  (
    LOWER("Process Name") ILIKE '%ping.exe%'
    OR LOWER("Process Name") ILIKE '%tracert.exe%'
    OR LOWER("Process Name") ILIKE '%pathping.exe%'
    OR LOWER("Process Name") ILIKE '%nslookup.exe%'
    OR LOWER("Process Name") ILIKE '%curl.exe%'
    OR LOWER("Process Name") ILIKE '%wget.exe%'
    OR LOWER("Process Name") ILIKE '%bitsadmin.exe%'
    OR LOWER("Process Name") ILIKE '%powershell.exe%'
    OR LOWER("Process Name") ILIKE '%pwsh.exe%'
    OR LOWER("Process Name") ILIKE '%cmd.exe%'
    OR destinationip IN ('8.8.8.8', '8.8.4.4', '1.1.1.1', '1.0.0.1')
    OR LOWER(destinationhostname) ILIKE '%ifconfig%'
    OR LOWER(destinationhostname) ILIKE '%ipify%'
    OR LOWER(destinationhostname) ILIKE '%icanhazip%'
  )
  AND username NOT LIKE '%$'
  AND NOT (
    LOWER("Process Name") ILIKE '%chrome.exe%'
    OR LOWER("Process Name") ILIKE '%firefox.exe%'
    OR LOWER("Process Name") ILIKE '%msedge.exe%'
    OR LOWER("Process Name") ILIKE '%iexplore.exe%'
    OR LOWER("Process Name") ILIKE '%opera.exe%'
    OR LOWER("Process Name") ILIKE '%brave.exe%'
  )
LAST 24 HOURS
ORDER BY devicetime DESC

medium severity medium confidence

Data Sources

Windows Security Event Log (DSM: Microsoft Windows Security Event Log) Sysmon via Windows Event Forwarding (DSM: Microsoft Windows Sysmon) QRadar Network Activity flows

Required Tables

events

False Positives

IT operations teams executing documented runbooks that use ping to 8.8.8.8 as a first-step internet gateway reachability check during incident response or change management
PowerShell-based system health or compliance scripts that invoke Invoke-WebRequest or curl to ifconfig.me to determine and log the public IP of corporate egress points
Software deployment orchestration tools (SCCM, Ansible, Chef) that preflight-check internet connectivity using curl or nslookup before downloading packages from external repositories

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*winevent*" OR _sourceCategory="*winlogbeat*")
| where EventCode in ("1", "4688", "3", "22")
| parse regex field=Message "(?:CommandLine|ProcessCommandLine|Command Line):\s*(?<CommandLine>[^\n\r]+)" nodrop
| parse regex field=Message "(?:Image|NewProcessName):\s*(?<ProcessName>[^\n\r]+)" nodrop
| parse regex field=Message "(?:ParentImage|ParentProcessName):\s*(?<ParentImage>[^\n\r]+)" nodrop
| parse regex field=Message "(?:DestinationHostname|QueryName):\s*(?<DestHost>[^\n\r]+)" nodrop
| parse regex field=Message "(?:DestinationIp|DestinationAddress):\s*(?<DestIP>[^\n\r]+)" nodrop
| eval cmd_lower = toLowerCase(if(isNull(CommandLine), "", CommandLine))
| eval dest_lower = toLowerCase(if(isNull(DestHost), "", DestHost))
| eval proc_lower = toLowerCase(if(isNull(ProcessName), "", ProcessName))
| where (
    matches(cmd_lower, /8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/)
    OR matches(dest_lower, /ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/)
    OR DestIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
  )
| where !matches(proc_lower, /chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe/)
| eval IsPingOrTrace = if(matches(cmd_lower, /ping|tracert|traceroute|pathping|nslookup|test-netconnection|test-connection/), 1, 0)
| eval IsIPLookupService = if(matches(cmd_lower, /ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/), 1, 0)
| eval IsPublicDNS = if(matches(cmd_lower, /8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1/) OR DestIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1"), 1, 0)
| eval SuspicionScore = IsPingOrTrace + IsIPLookupService + IsPublicDNS
| where SuspicionScore > 0
| sort by _messageTime desc
| fields _messageTime, host, ProcessName, CommandLine, ParentImage, DestHost, DestIP, IsPingOrTrace, IsIPLookupService, IsPublicDNS, SuspicionScore

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon via Windows Event Forwarding Windows Security Event Log

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winevent*

False Positives

Network engineers running ping to 8.8.8.8 as a baseline reachability step in documented troubleshooting and change management procedures
Monitoring and RMM platforms (Kaseya, NinjaRMM, ConnectWise) that run scheduled curl or PowerShell connectivity probes against public check services to verify internet egress from managed endpoints
Developer build environments or containerized workloads that call curl to api.ipify.org or ifconfig.me at startup to determine public egress IP for dynamic firewall rule registration

Google Chronicle / SecOps

yaral

rule t1016_001_process_internet_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "T1016.001 - Discovery tool command line references known public DNS resolvers or IP-lookup connectivity check services"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1016.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1016/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path,
      `(?i)(\\ping\.exe|\\tracert\.exe|\\pathping\.exe|\\nslookup\.exe|\\curl\.exe|\\wget\.exe|\\bitsadmin\.exe|\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe)$`)
    re.regex($e.target.process.command_line,
      `(?i)(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\chrome\.exe|\\firefox\.exe|\\msedge\.exe|\\iexplore\.exe|\\opera\.exe|\\brave\.exe)$`)

  condition:
    $e
}

rule t1016_001_network_connectivity_check {
  meta:
    author = "Argus Detection Engineering"
    description = "T1016.001 - Non-browser network connection to IP geolocation or internet connectivity verification service"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1016.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1016/001/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    re.regex($e.target.hostname,
      `(?i)(ifconfig\.me|ipinfo\.io|icanhazip\.com|wtfismyip\.com|api\.ipify\.org|ip-api\.com|ifconfig\.co|checkip\.amazonaws\.com|myexternalip\.com|whatismyip\.com|ipecho\.net)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\chrome\.exe|\\firefox\.exe|\\msedge\.exe|\\iexplore\.exe|\\opera\.exe|\\brave\.exe)$`)

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Windows Event Log via Chronicle Forwarder Sysmon via Chronicle Forwarder CrowdStrike Falcon (Chronicle integration) Carbon Black (Chronicle integration) SentinelOne (Chronicle integration)

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (NETWORK_CONNECTION)

False Positives

IT automation runbooks executed by administrators that use ping or PowerShell Test-NetConnection to Google DNS (8.8.8.8) as a documented first step in internet connectivity verification
Cloud-init or VM provisioning bootstrap scripts that curl ifconfig.me or checkip.amazonaws.com to determine and record the VM's public IP during first-boot configuration
Security tooling (vulnerability scanners, EDR health monitors) that enumerate external connectivity by hitting ip-api.com or similar services as part of network assessment or agent registration workflows

CrowdStrike LogScale (CQL)

cql

// T1016.001 Internet Connection Discovery — Process, DNS, and Network vectors
#event_simpleName in ["ProcessRollup2", "DnsRequest", "NetworkConnectIP4"]
| eval IsProcessHit = if(
    #event_simpleName = "ProcessRollup2"
    AND ImageFileName = /(?i)(\\ping\.exe|\\tracert\.exe|\\pathping\.exe|\\nslookup\.exe|\\curl\.exe|\\wget\.exe|\\bitsadmin\.exe|\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe)$/
    AND CommandLine = /(?i)(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)/,
    true, false)
| eval IsDnsHit = if(
    #event_simpleName = "DnsRequest"
    AND DomainName = /(?i)(ifconfig\.me|ipinfo\.io|icanhazip\.com|wtfismyip\.com|api\.ipify\.org|ip-api\.com|ifconfig\.co|checkip\.amazonaws\.com|myexternalip\.com|whatismyip\.com|ipecho\.net)/,
    true, false)
| eval IsNetworkHit = if(
    #event_simpleName = "NetworkConnectIP4"
    AND RemoteAddressIP4 in ["8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1"]
    AND RemotePort in [53, 443],
    true, false)
| where IsProcessHit = true OR IsDnsHit = true OR IsNetworkHit = true
| not ImageFileName = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)$/
| eval DetectionType = case(
    IsProcessHit, "ProcessCommandLine",
    IsDnsHit, "DnsLookup",
    IsNetworkHit, "DirectPublicDNS",
    "Unknown")
| eval MatchedIndicator = case(
    IsProcessHit, CommandLine,
    IsDnsHit, DomainName,
    IsNetworkHit, RemoteAddressIP4,
    "")
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DomainName, RemoteAddressIP4, RemotePort, DetectionType, MatchedIndicator])
| sort(order=desc, limit=500)

medium severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2, DnsRequest, NetworkConnectIP4) CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2 DnsRequest NetworkConnectIP4

False Positives

CrowdStrike Falcon sensor self-diagnostics or support tool runs that verify outbound connectivity to Falcon cloud infrastructure via public DNS or IP checks
Enterprise endpoint management platforms (Tanium, BigFix, Intune) that execute periodic connectivity probes using ping or curl against public DNS resolvers to validate internet access from managed endpoints
Developer toolchains, container orchestration agents, or cloud provider CLI tools (AWS CLI, Azure CLI, gcloud) that curl checkip.amazonaws.com or ipinfo.io at startup to determine and log public egress IP for routing validation

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Internet Connection Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections