T1016.001 CrowdStrike LogScale · LogScale

Detect Internet Connection Discovery in CrowdStrike LogScale

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Sub-technique
T1016.001 Internet Connection Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1016.001 Internet Connection Discovery — Process, DNS, and Network vectors
#event_simpleName in ["ProcessRollup2", "DnsRequest", "NetworkConnectIP4"]
| eval IsProcessHit = if(
    #event_simpleName = "ProcessRollup2"
    AND ImageFileName = /(?i)(\\ping\.exe|\\tracert\.exe|\\pathping\.exe|\\nslookup\.exe|\\curl\.exe|\\wget\.exe|\\bitsadmin\.exe|\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe)$/
    AND CommandLine = /(?i)(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)/,
    true, false)
| eval IsDnsHit = if(
    #event_simpleName = "DnsRequest"
    AND DomainName = /(?i)(ifconfig\.me|ipinfo\.io|icanhazip\.com|wtfismyip\.com|api\.ipify\.org|ip-api\.com|ifconfig\.co|checkip\.amazonaws\.com|myexternalip\.com|whatismyip\.com|ipecho\.net)/,
    true, false)
| eval IsNetworkHit = if(
    #event_simpleName = "NetworkConnectIP4"
    AND RemoteAddressIP4 in ["8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1"]
    AND RemotePort in [53, 443],
    true, false)
| where IsProcessHit = true OR IsDnsHit = true OR IsNetworkHit = true
| not ImageFileName = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)$/
| eval DetectionType = case(
    IsProcessHit, "ProcessCommandLine",
    IsDnsHit, "DnsLookup",
    IsNetworkHit, "DirectPublicDNS",
    "Unknown")
| eval MatchedIndicator = case(
    IsProcessHit, CommandLine,
    IsDnsHit, DomainName,
    IsNetworkHit, RemoteAddressIP4,
    "")
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DomainName, RemoteAddressIP4, RemotePort, DetectionType, MatchedIndicator])
| sort(order=desc, limit=500)
medium severity high confidence

CrowdStrike LogScale (Falcon Insight / FDR) query for T1016.001 Internet Connection Discovery covering three telemetry vectors: (1) ProcessRollup2 — known discovery binaries with command lines referencing public DNS resolvers or IP-lookup services; (2) DnsRequest — DNS queries to IP geolocation and connectivity check domains; (3) NetworkConnectIP4 — direct TCP/UDP connections to public DNS resolver IPs on port 53 or 443. Results enriched with a DetectionType and MatchedIndicator field for analyst triage. Browser processes excluded across all vectors.

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2, DnsRequest, NetworkConnectIP4)CrowdStrike Falcon Data Replicator (FDR)CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2DnsRequestNetworkConnectIP4

False Positives & Tuning

  • CrowdStrike Falcon sensor self-diagnostics or support tool runs that verify outbound connectivity to Falcon cloud infrastructure via public DNS or IP checks
  • Enterprise endpoint management platforms (Tanium, BigFix, Intune) that execute periodic connectivity probes using ping or curl against public DNS resolvers to validate internet access from managed endpoints
  • Developer toolchains, container orchestration agents, or cloud provider CLI tools (AWS CLI, Azure CLI, gcloud) that curl checkip.amazonaws.com or ipinfo.io at startup to determine and log public egress IP for routing validation
Download portable Sigma rule (.yml)

Other platforms for T1016.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.

  2. Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.

  3. Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.

  4. Test 4PowerShell Test-NetConnection to Public DNS

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.

  5. Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1016System Network Configuration Discovery

Related Sub-techniques

T1016.002Wi-Fi Discovery

Related Techniques

T1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1102Web ServiceT1090ProxyT1082System Information DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1197BITS Jobs

Same Tactic: Discovery

Popular Detections