Detect Internet Connection Discovery in Sumo Logic CSE
Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications.
MITRE ATT&CK
- Tactic
- Discovery
- Sub-technique
- T1016.001 Internet Connection Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/001/
Sumo Detection Query
(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*winevent*" OR _sourceCategory="*winlogbeat*")
| where EventCode in ("1", "4688", "3", "22")
| parse regex field=Message "(?:CommandLine|ProcessCommandLine|Command Line):\s*(?<CommandLine>[^\n\r]+)" nodrop
| parse regex field=Message "(?:Image|NewProcessName):\s*(?<ProcessName>[^\n\r]+)" nodrop
| parse regex field=Message "(?:ParentImage|ParentProcessName):\s*(?<ParentImage>[^\n\r]+)" nodrop
| parse regex field=Message "(?:DestinationHostname|QueryName):\s*(?<DestHost>[^\n\r]+)" nodrop
| parse regex field=Message "(?:DestinationIp|DestinationAddress):\s*(?<DestIP>[^\n\r]+)" nodrop
| eval cmd_lower = toLowerCase(if(isNull(CommandLine), "", CommandLine))
| eval dest_lower = toLowerCase(if(isNull(DestHost), "", DestHost))
| eval proc_lower = toLowerCase(if(isNull(ProcessName), "", ProcessName))
| where (
matches(cmd_lower, /8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1|bing\.com|google\.com|ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/)
OR matches(dest_lower, /ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|ifconfig\.co|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/)
OR DestIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1")
)
| where !matches(proc_lower, /chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe/)
| eval IsPingOrTrace = if(matches(cmd_lower, /ping|tracert|traceroute|pathping|nslookup|test-netconnection|test-connection/), 1, 0)
| eval IsIPLookupService = if(matches(cmd_lower, /ifconfig\.me|ipinfo\.io|icanhazip|wtfismyip|api\.ipify|ip-api\.com|checkip\.amazonaws|myexternalip|whatismyip|ipecho\.net/), 1, 0)
| eval IsPublicDNS = if(matches(cmd_lower, /8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1/) OR DestIP in ("8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1"), 1, 0)
| eval SuspicionScore = IsPingOrTrace + IsIPLookupService + IsPublicDNS
| where SuspicionScore > 0
| sort by _messageTime desc
| fields _messageTime, host, ProcessName, CommandLine, ParentImage, DestHost, DestIP, IsPingOrTrace, IsIPLookupService, IsPublicDNS, SuspicionScoreSumo Logic query detecting T1016.001 Internet Connection Discovery across Windows Security (EventCode 4688), Sysmon process create (EventCode 1), Sysmon network (EventCode 3), and Sysmon DNS (EventCode 22) sources. Parses raw message fields for command line, process name, parent image, and destination. Applies a three-component suspicion score (ping/trace tools, IP lookup services, public DNS targets) and filters out browser-initiated activity.
Data Sources
Required Tables
False Positives & Tuning
- Network engineers running ping to 8.8.8.8 as a baseline reachability step in documented troubleshooting and change management procedures
- Monitoring and RMM platforms (Kaseya, NinjaRMM, ConnectWise) that run scheduled curl or PowerShell connectivity probes against public check services to verify internet egress from managed endpoints
- Developer build environments or containerized workloads that call curl to api.ipify.org or ifconfig.me at startup to determine public egress IP for dynamic firewall rule registration
Other platforms for T1016.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ping Public DNS Resolver (Gamaredon/QuietSieve Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=ping.exe, CommandLine='ping -n 1 8.8.8.8', ParentImage=cmd.exe. Security Event ID 4688 (with command line auditing enabled): NewProcessName=ping.exe, ProcessCommandLine='ping -n 1 8.8.8.8'. ICMP traffic to 8.8.8.8 visible in network logs.
- Test 2HTTP GET to IP Geolocation Service (NKAbuse/Malware Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'api.ipify.org'. Sysmon Event ID 3: Network Connection from curl.exe to api.ipify.org:443 (HTTPS). Sysmon Event ID 22: DNS Query for 'api.ipify.org'. Security Event ID 4688 if command line auditing enabled.
- Test 3BITSAdmin Internet Connectivity Test (HEXANE Style)
Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer connecttest' and 'bing.com'. Sysmon Event ID 3: Network Connection from svchost.exe (BITS service) to www.bing.com:443. Security Event ID 4688 with bitsadmin command line. File creation event (Sysmon Event ID 11) for %TEMP%\connecttest.txt if transfer succeeds.
- Test 4PowerShell Test-NetConnection to Public DNS
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Test-NetConnection' and '8.8.8.8'. Sysmon Event ID 3: Network Connection from powershell.exe to 8.8.8.8:80 (TCP, Test-NetConnection default). PowerShell ScriptBlock Log Event ID 4104 containing 'Test-NetConnection -ComputerName 8.8.8.8'.
- Test 5Tracert to External Host for Route Discovery (Proxy Enumeration)
Expected signal: Sysmon Event ID 1: Process Create with Image=tracert.exe, CommandLine='tracert -d -h 10 8.8.8.8'. Sysmon Event ID 3: Multiple ICMP/UDP network connections to intermediate hop IPs. Security Event ID 4688 with tracert command line if process creation auditing enabled.
References (12)
- https://attack.mitre.org/techniques/T1016/001/
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://securityintelligence.com/posts/more_eggs-malware-moonlighting-as-linkedin-recruiter/
- https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine/
- https://securelist.com/lyceum-group-reborn/104586/
- https://blog.talosintelligence.com/operation-layover-how-we-tracked-a-possible-carrier/
- https://www.mandiant.com/resources/unc3890-targets-israel
- https://securelist.com/qakbot-technical-analysis/103931/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016.001/T1016.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1016.001 including response playbook, investigation guide, and atomic red team tests.