T1016.001 Google Chronicle · YARA-L

Detect Internet Connection Discovery in Google Chronicle

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Sub-technique
T1016.001 Internet Connection Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1016_001_process_internet_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "T1016.001 - Discovery tool command line references known public DNS resolvers or IP-lookup connectivity check services"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1016.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1016/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path,
      `(?i)(\\ping\.exe|\\tracert\.exe|\\pathping\.exe|\\nslookup\.exe|\\curl\.exe|\\wget\.exe|\\bitsadmin\.exe|\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe)$`)
    re.regex($e.target.process.command_line,
      `(?i)(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\chrome\.exe|\\firefox\.exe|\\msedge\.exe|\\iexplore\.exe|\\opera\.exe|\\brave\.exe)$`)

  condition:
    $e
}

rule t1016_001_network_connectivity_check {
  meta:
    author = "Argus Detection Engineering"
    description = "T1016.001 - Non-browser network connection to IP geolocation or internet connectivity verification service"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1016.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1016/001/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    re.regex($e.target.hostname,
      `(?i)(ifconfig\.me|ipinfo\.io|icanhazip\.com|wtfismyip\.com|api\.ipify\.org|ip-api\.com|ifconfig\.co|checkip\.amazonaws\.com|myexternalip\.com|whatismyip\.com|ipecho\.net)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\chrome\.exe|\\firefox\.exe|\\msedge\.exe|\\iexplore\.exe|\\opera\.exe|\\brave\.exe)$`)

  condition:
    $e
}
medium severity high confidence

Two Google Chronicle YARA-L 2.0 rules for T1016.001 Internet Connection Discovery using UDM normalized fields. Rule 1 (t1016_001_process_internet_discovery) matches PROCESS_LAUNCH events where known discovery binaries (ping, tracert, curl, nslookup, PowerShell, bitsadmin) reference public DNS resolvers or IP-lookup service domains in their command line. Rule 2 (t1016_001_network_connectivity_check) matches NETWORK_CONNECTION events to IP geolocation domains, explicitly excluding browser-initiated connections. Both rules use re.regex() for flexible pattern matching against UDM principal and target fields.

Data Sources

Chronicle UDM (Unified Data Model)Windows Event Log via Chronicle ForwarderSysmon via Chronicle ForwarderCrowdStrike Falcon (Chronicle integration)Carbon Black (Chronicle integration)SentinelOne (Chronicle integration)

Required Tables

UDM Events (PROCESS_LAUNCH)UDM Events (NETWORK_CONNECTION)

False Positives & Tuning

  • IT automation runbooks executed by administrators that use ping or PowerShell Test-NetConnection to Google DNS (8.8.8.8) as a documented first step in internet connectivity verification
  • Cloud-init or VM provisioning bootstrap scripts that curl ifconfig.me or checkip.amazonaws.com to determine and record the VM's public IP during first-boot configuration
  • Security tooling (vulnerability scanners, EDR health monitors) that enumerate external connectivity by hitting ip-api.com or similar services as part of network assessment or agent registration workflows
Download portable Sigma rule (.yml)

Other platforms for T1016.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.

  2. Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.

  3. Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.

  4. Test 4PowerShell Test-NetConnection to Public DNS

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.

  5. Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1016System Network Configuration Discovery

Related Sub-techniques

T1016.002Wi-Fi Discovery

Related Techniques

T1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1102Web ServiceT1090ProxyT1082System Information DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1197BITS Jobs

Same Tactic: Discovery

Popular Detections