T1016.001 Splunk · SPL

Detect Internet Connection Discovery in Splunk

Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Sub-technique
T1016.001 Internet Connection Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 (Image="*\\ping.exe" OR Image="*\\tracert.exe" OR Image="*\\pathping.exe" OR Image="*\\nslookup.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"))
  OR
  (EventCode=4688 (NewProcessName="*\\ping.exe" OR NewProcessName="*\\tracert.exe" OR NewProcessName="*\\pathping.exe" OR NewProcessName="*\\nslookup.exe" OR NewProcessName="*\\curl.exe" OR NewProcessName="*\\bitsadmin.exe" OR NewProcessName="*\\powershell.exe"))
  OR
  (EventCode=3)
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval TargetHost=coalesce(DestinationHostname, QueryName, CommandLine)
| eval cmd_lower=lower(coalesce(CommandLine, ""))
| eval dns_or_dest=lower(coalesce(DestinationHostname, ""))
| eval IsConnectivityTarget=if(
    match(cmd_lower, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)")
    OR match(dns_or_dest, "(ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net)"),
    1, 0)
| eval IsPingOrTrace=if(match(cmd_lower, "(ping|tracert|traceroute|pathping|nslookup|test-netconnection|test-connection)"), 1, 0)
| eval IsPublicDNSTarget=if(match(cmd_lower, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)"), 1, 0)
| eval IsIPLookupService=if(match(cmd_lower, "(ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net|ifconfig\.co)"), 1, 0)
| eval SuspicionScore=IsConnectivityTarget + IsPingOrTrace + IsPublicDNSTarget + IsIPLookupService
| where SuspicionScore > 0
| eval ProcessName=coalesce(Image, NewProcessName)
| eval User=coalesce(User, SubjectUserName)
| where NOT match(ProcessName, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)")
| table _time, host, User, ProcessName, cmd_lower, ParentImage, DestinationHostname, DestinationIp, DestinationPort, IsPingOrTrace, IsPublicDNSTarget, IsIPLookupService, SuspicionScore
| sort - _time
medium severity medium confidence

Detects Internet connection discovery attempts using Sysmon Event ID 1 (Process Creation), Event ID 3 (Network Connection), and Security Event ID 4688. Evaluates command lines and network destinations for known connectivity check patterns including ping/tracert to public DNS resolvers (8.8.8.8, 1.1.1.1), HTTP requests to IP-geolocation services (ifconfig.me, ipinfo.io, api.ipify.org), and use of bitsadmin for connectivity testing. Assigns a suspicion score based on multiple indicators. Excludes common browser processes to reduce false positives.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationCommand: Command ExecutionSysmon Event ID 1Sysmon Event ID 3Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • IT administrators or network engineers running ping/tracert diagnostics for legitimate troubleshooting
  • Monitoring and observability agents (Datadog, New Relic, SolarWinds) that periodically check internet reachability
  • Automated health check scripts in CI/CD pipelines or deployment automation that verify outbound connectivity before deploying updates
  • Operating system components and update services (Windows Update, Microsoft Defender signature updates) that contact Microsoft infrastructure
  • Network diagnostic tools used by help desk staff confirming connectivity for remote users
Download portable Sigma rule (.yml)

Other platforms for T1016.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.

  2. Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.

  3. Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.

  4. Test 4PowerShell Test-NetConnection to Public DNS

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.

  5. Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1016System Network Configuration Discovery

Related Sub-techniques

T1016.002Wi-Fi Discovery

Related Techniques

T1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1102Web ServiceT1090ProxyT1082System Information DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1197BITS Jobs

Same Tactic: Discovery

Popular Detections