T1016.001 Microsoft Sentinel · KQL

Detect Internet Connection Discovery in Microsoft Sentinel

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Sub-technique
T1016.001 Internet Connection Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownConnectivityTargets = dynamic([
  "8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1",
  "bing.com", "google.com", "microsoft.com", "ifconfig.me",
  "ipinfo.io", "icanhazip.com", "checkip.amazonaws.com",
  "whatismyip.com", "ipecho.net", "myexternalip.com",
  "wtfismyip.com", "api.ipify.org", "ip-api.com",
  "ifconfig.co", "ipv4.icanhazip.com"
]);
let PingTracertCommands = dynamic([
  "ping", "tracert", "traceroute", "pathping", "nslookup",
  "Test-NetConnection", "Test-Connection", "Invoke-WebRequest",
  "curl", "wget", "bitsadmin"
]);
// Detection 1: Process-based — ping/tracert/curl to connectivity check targets
let ProcessBased = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ping.exe", "tracert.exe", "traceroute", "pathping.exe", "nslookup.exe", "curl.exe", "wget.exe", "bitsadmin.exe", "powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any (KnownConnectivityTargets)
      or ProcessCommandLine has_any ("ifconfig.me", "ipinfo.io", "icanhazip", "wtfismyip", "api.ipify", "ip-api.com", "ifconfig.co", "checkip.amazonaws")
| extend DetectionType = "ProcessCommandLine"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId, ProcessId, DetectionType;
// Detection 2: Network-based — direct HTTP/DNS connections to connectivity-check services
let NetworkBased = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (KnownConnectivityTargets)
      or RemoteUrl has_any ("ifconfig.me", "ipinfo.io", "icanhazip", "wtfismyip", "api.ipify", "ip-api.com", "ifconfig.co", "checkip.amazonaws")
      or RemoteIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe")
| extend DetectionType = "NetworkConnection"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          RemoteIP, RemoteUrl, RemotePort, DetectionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId;
union ProcessBased, NetworkBased
| sort by Timestamp desc
medium severity medium confidence

Detects Internet connection discovery activity on Windows endpoints using Microsoft Defender for Endpoint. Combines two detection approaches: (1) process command line inspection for ping, tracert, curl, nslookup, PowerShell, and bitsadmin commands targeting well-known connectivity check services or DNS resolvers; (2) network connection events to IP-geolocation/connectivity-check services initiated by non-browser processes. Covers known adversary patterns including Gamaredon ping to 8.8.8.8, Neoichor HTTP GET to bing.com, NKAbuse queries to ifconfig.me, and HEXANE bitsadmin connectivity tests.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • IT administrators or network engineers running ping/tracert diagnostics for legitimate troubleshooting
  • Monitoring and observability agents (Datadog, New Relic, SolarWinds) that periodically check internet reachability
  • Automated health check scripts in CI/CD pipelines or deployment automation that verify outbound connectivity before deploying updates
  • Operating system components and update services (Windows Update, Microsoft Defender signature updates) that contact Microsoft infrastructure
  • Network diagnostic tools used by help desk staff confirming connectivity for remote users
Download portable Sigma rule (.yml)

Other platforms for T1016.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.

  2. Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.

  3. Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.

  4. Test 4PowerShell Test-NetConnection to Public DNS

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.

  5. Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1016System Network Configuration Discovery

Related Sub-techniques

T1016.002Wi-Fi Discovery

Related Techniques

T1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1102Web ServiceT1090ProxyT1082System Information DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1197BITS Jobs

Same Tactic: Discovery

Popular Detections