Detect Internet Connection Discovery in Elastic Security
Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.
MITRE ATT&CK
- Tactic
- Discovery
- Sub-technique
- T1016.001 Internet Connection Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/001/
Elastic Detection Query
any where
(
event.category == "process" and
event.type == "start" and
process.name in~ ("ping.exe", "tracert.exe", "pathping.exe", "nslookup.exe", "curl.exe", "wget.exe", "bitsadmin.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and
process.command_line like~ (
"*8.8.8.8*", "*8.8.4.4*", "*1.1.1.1*", "*1.0.0.1*",
"*bing.com*", "*google.com*", "*ifconfig.me*", "*ipinfo.io*",
"*icanhazip*", "*wtfismyip*", "*api.ipify*", "*ip-api.com*",
"*ifconfig.co*", "*checkip.amazonaws*", "*myexternalip*",
"*whatismyip*", "*ipecho.net*"
)
) or
(
event.category == "network" and
event.type in ("connection", "start") and
(
destination.domain in~ (
"ifconfig.me", "ipinfo.io", "icanhazip.com", "wtfismyip.com",
"api.ipify.org", "ip-api.com", "ifconfig.co",
"checkip.amazonaws.com", "myexternalip.com",
"whatismyip.com", "ipecho.net"
) or
destination.ip in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
) and
process.name not in~ (
"chrome.exe", "firefox.exe", "msedge.exe",
"iexplore.exe", "opera.exe", "brave.exe"
)
)Detects T1016.001 Internet Connection Discovery via two vectors: (1) process command line execution of ping, tracert, curl, nslookup, bitsadmin, or PowerShell targeting known public DNS resolvers or IP-lookup services; (2) non-browser network connections to IP geolocation and connectivity check domains. Covers both Elastic Endpoint and Winlogbeat with Sysmon event sources using ECS-normalized fields.
Data Sources
Required Tables
False Positives & Tuning
- Network administrators running legitimate connectivity diagnostics using ping or tracert to Google public DNS (8.8.8.8) for troubleshooting link-layer or routing issues
- Automated IT monitoring or RMM agents (e.g., ConnectWise Automate, Kaseya VSA) that periodically check internet reachability by curling ifconfig.me or similar services on a schedule
- Developer workstations running CI/CD pipelines, build scripts, or container entrypoints that invoke curl to connectivity-check services to determine public egress IP before configuring firewall rules
Other platforms for T1016.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.
- Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.
- Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.
- Test 4PowerShell Test-NetConnection to Public DNS
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.
- Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)
Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1016/001/
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://securityintelligence.com/posts/more_eggs-malware-moonlighting-as-linkedin-recruiter/
- https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine/
- https://securelist.com/lyceum-group-reborn/104586/
- https://blog.talosintelligence.com/operation-layover-how-we-tracked-a-possible-carrier/
- https://www.mandiant.com/resources/unc3890-targets-israel
- https://securelist.com/qakbot-technical-analysis/103931/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016.001/T1016.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.