Detect System Network Configuration Discovery in Google Chronicle
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.
MITRE ATT&CK
- Tactic
- Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/
YARA-L Detection Query
rule T1016_System_Network_Configuration_Discovery {
meta:
author = "Argus Detection Engineering"
description = "Detects T1016 System Network Configuration Discovery. Matches execution of native Windows network enumeration binaries (ipconfig, arp, nbtstat, route, netstat, netsh, hostname, tracert, pathping) and scripted discovery via PowerShell, cmd, or scripting interpreters using network enumeration cmdlets or shell commands. Also detects ESXi esxcli and Linux ip/ifconfig enumeration."
mitre_technique = "T1016"
mitre_tactic = "TA0007"
severity = "MEDIUM"
priority = "MEDIUM"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
// Native Windows network discovery tools executed directly
re.regex($e.target.process.file.full_path,
`(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`)
or
// Scripted discovery via interpreter with network enumeration keywords
(
re.regex($e.target.process.file.full_path,
`(?i)\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$`)
and
re.regex($e.target.process.command_line,
`(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)`)
)
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(
if(re.regex($e.principal.process.file.full_path,
`(?i)\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec|svchost)\.exe$`), 50, 0)
+
if(re.regex($e.target.process.file.full_path,
`(?i)\\(powershell|pwsh|cmd|wscript|cscript)\.exe$`)
and re.regex($e.target.process.command_line,
`(?i)(Get-Net|Win32_Network|ipconfig|netstat|route print|arp |nbtstat)`), 30, 0)
+
if(re.regex($e.target.process.file.full_path,
`(?i)\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$`), 20, 0)
)
$hostname = $e.principal.hostname
$user = $e.principal.user.userid
$process_name = $e.target.process.file.full_path
$command_line = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
condition:
$e
}YARA-L 2.0 rule for Google Chronicle UDM detecting T1016 System Network Configuration Discovery. Matches PROCESS_LAUNCH events where the target process is a native Windows network enumeration binary or a scripting interpreter running network discovery commands. Outcome scoring weights suspicious parent processes (+50), scripted enumeration patterns (+30), and native tool execution (+20) for risk-based prioritization. Groups events by hostname over a 5-minute window to support correlation.
Data Sources
Required Tables
False Positives & Tuning
- Automated patch management orchestration tools (SCCM, Intune, Puppet) that spawn ipconfig or netsh as child processes of msiexec.exe or svchost.exe during software deployments will score positively on SuspiciousParent due to those parent process names appearing in the risk scoring logic.
- Network baseline capture scripts executed by IT operations teams using PowerShell Get-NetAdapter or Get-NetIPConfiguration to document adapter configuration before and after maintenance windows will match the scripted discovery pattern on known maintenance accounts.
- Security tools performing authenticated internal network scans (Rapid7 InsightVM, Tenable Nessus agents) that run ipconfig or netstat via WMI or remote PowerShell remoting will generate PROCESS_LAUNCH events matching native tool criteria on scanned hosts.
Other platforms for T1016
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Network Configuration Enumeration via ipconfig
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.
- Test 2ARP Table and Routing Table Bulk Enumeration
Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.
- Test 3PowerShell WMI Network Adapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.
- Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.
- Test 5Linux Network Configuration Discovery via ip and arp
Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.
References (12)
- https://attack.mitre.org/techniques/T1016/
- https://attack.mitre.org/software/S0100/
- https://attack.mitre.org/software/S0101/
- https://attack.mitre.org/software/S0099/
- https://attack.mitre.org/software/S0102/
- https://attack.mitre.org/software/S0103/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
- https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_recon.yml
Unlock Pro Content
Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.