T1016.001 IBM QRadar · QRadar

Detect Internet Connection Discovery in IBM QRadar

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Sub-technique
T1016.001 Internet Connection Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Image" AS parent_process,
  destinationip AS dest_ip,
  destinationhostname AS dest_hostname,
  CATEGORYNAME(category) AS category_name,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(devicetype) AS log_source_type
FROM events
WHERE
  (
    LOWER("Command") ILIKE '%8.8.8.8%'
    OR LOWER("Command") ILIKE '%8.8.4.4%'
    OR LOWER("Command") ILIKE '%1.1.1.1%'
    OR LOWER("Command") ILIKE '%1.0.0.1%'
    OR LOWER("Command") ILIKE '%ifconfig.me%'
    OR LOWER("Command") ILIKE '%ipinfo.io%'
    OR LOWER("Command") ILIKE '%icanhazip%'
    OR LOWER("Command") ILIKE '%wtfismyip%'
    OR LOWER("Command") ILIKE '%api.ipify%'
    OR LOWER("Command") ILIKE '%ip-api.com%'
    OR LOWER("Command") ILIKE '%ifconfig.co%'
    OR LOWER("Command") ILIKE '%checkip.amazonaws%'
    OR LOWER("Command") ILIKE '%myexternalip%'
    OR LOWER("Command") ILIKE '%whatismyip%'
    OR LOWER("Command") ILIKE '%ipecho.net%'
    OR LOWER("Command") ILIKE '%bing.com%'
    OR LOWER("Command") ILIKE '%google.com%'
    OR LOWER(destinationhostname) ILIKE '%ifconfig.me%'
    OR LOWER(destinationhostname) ILIKE '%ipinfo.io%'
    OR LOWER(destinationhostname) ILIKE '%icanhazip%'
    OR LOWER(destinationhostname) ILIKE '%wtfismyip%'
    OR LOWER(destinationhostname) ILIKE '%api.ipify%'
    OR LOWER(destinationhostname) ILIKE '%ip-api.com%'
    OR LOWER(destinationhostname) ILIKE '%checkip.amazonaws%'
    OR destinationip IN ('8.8.8.8', '8.8.4.4', '1.1.1.1', '1.0.0.1')
  )
  AND
  (
    LOWER("Process Name") ILIKE '%ping.exe%'
    OR LOWER("Process Name") ILIKE '%tracert.exe%'
    OR LOWER("Process Name") ILIKE '%pathping.exe%'
    OR LOWER("Process Name") ILIKE '%nslookup.exe%'
    OR LOWER("Process Name") ILIKE '%curl.exe%'
    OR LOWER("Process Name") ILIKE '%wget.exe%'
    OR LOWER("Process Name") ILIKE '%bitsadmin.exe%'
    OR LOWER("Process Name") ILIKE '%powershell.exe%'
    OR LOWER("Process Name") ILIKE '%pwsh.exe%'
    OR LOWER("Process Name") ILIKE '%cmd.exe%'
    OR destinationip IN ('8.8.8.8', '8.8.4.4', '1.1.1.1', '1.0.0.1')
    OR LOWER(destinationhostname) ILIKE '%ifconfig%'
    OR LOWER(destinationhostname) ILIKE '%ipify%'
    OR LOWER(destinationhostname) ILIKE '%icanhazip%'
  )
  AND username NOT LIKE '%$'
  AND NOT (
    LOWER("Process Name") ILIKE '%chrome.exe%'
    OR LOWER("Process Name") ILIKE '%firefox.exe%'
    OR LOWER("Process Name") ILIKE '%msedge.exe%'
    OR LOWER("Process Name") ILIKE '%iexplore.exe%'
    OR LOWER("Process Name") ILIKE '%opera.exe%'
    OR LOWER("Process Name") ILIKE '%brave.exe%'
  )
LAST 24 HOURS
ORDER BY devicetime DESC
medium severity medium confidence

IBM QRadar AQL query detecting T1016.001 Internet Connection Discovery. Correlates Windows Security Event 4688, Sysmon Event 1 (process create), and Sysmon Event 3 (network connection) sources for command lines or destination hostnames/IPs targeting known public DNS resolvers, IP geolocation APIs, and connectivity check services. Excludes machine accounts (trailing $) and known browser processes. Field names follow QRadar DSM normalization for Microsoft Windows Security and Sysmon log sources.

Data Sources

Windows Security Event Log (DSM: Microsoft Windows Security Event Log)Sysmon via Windows Event Forwarding (DSM: Microsoft Windows Sysmon)QRadar Network Activity flows

Required Tables

events

False Positives & Tuning

  • IT operations teams executing documented runbooks that use ping to 8.8.8.8 as a first-step internet gateway reachability check during incident response or change management
  • PowerShell-based system health or compliance scripts that invoke Invoke-WebRequest or curl to ifconfig.me to determine and log the public IP of corporate egress points
  • Software deployment orchestration tools (SCCM, Ansible, Chef) that preflight-check internet connectivity using curl or nslookup before downloading packages from external repositories
Download portable Sigma rule (.yml)

Other platforms for T1016.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.

  2. Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.

  3. Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.

  4. Test 4PowerShell Test-NetConnection to Public DNS

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.

  5. Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1016System Network Configuration Discovery

Related Sub-techniques

T1016.002Wi-Fi Discovery

Related Techniques

T1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1102Web ServiceT1090ProxyT1082System Information DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1197BITS Jobs

Same Tactic: Discovery

Popular Detections