T1016 Elastic Security · Elastic

Detect System Network Configuration Discovery in Elastic Security

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
                    "netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
  or (
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                      "python.exe", "python3.exe")
    and process.command_line : ("*Get-NetIPConfiguration*", "*Get-NetAdapter*",
                                "*Get-NetRoute*", "*Get-DnsClientServerAddress*",
                                "*Win32_NetworkAdapterConfiguration*", "*Win32_NetworkAdapter*",
                                "*ipconfig*", "*ifconfig*", "*ip addr*", "*ip route*",
                                "*arp -a*", "*arp -n*", "*netstat -r*", "*route print*",
                                "*nbtstat*", "*netsh interface*",
                                "*esxcli network*", "*show ip route*", "*show ip interface*",
                                "*networksetup*", "*system_profiler SPNetworkDataType*")
  )
) and not (
  process.parent.name in~ ("msiexec.exe") and
  process.name == "ipconfig.exe" and
  process.command_line : "*/all*"
)
| eval IsNativeTool = process.name in~ ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
                                         "netstat.exe", "netsh.exe", "hostname.exe",
                                         "tracert.exe", "pathping.exe")
| eval SuspiciousParent = process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe",
                                                    "outlook.exe", "mshta.exe", "wscript.exe",
                                                    "cscript.exe", "rundll32.exe",
                                                    "regsvr32.exe", "msiexec.exe")
medium severity high confidence

Detects T1016 System Network Configuration Discovery using Elastic EQL against Elastic Common Schema (ECS) process events. Matches execution of native Windows network enumeration binaries (ipconfig, arp, nbtstat, netstat, route, netsh, hostname, tracert, pathping) and scripted discovery via PowerShell cmdlets (Get-NetIPConfiguration, Get-NetAdapter, Get-NetRoute, Win32_NetworkAdapterConfiguration) or shell commands. Flags suspicious parent processes indicative of malware-initiated discovery (Office apps, mshta, rundll32, regsvr32).

Data Sources

Elastic Endpoint (endpoint.events.process)Winlogbeat with Sysmon (event.code:1)Auditbeat process module (Linux)

Required Tables

logs-endpoint.events.process-*winlogbeat-*auditbeat-*

False Positives & Tuning

  • IT administrators and network engineers routinely execute ipconfig, netstat, route, and arp as part of standard troubleshooting, resulting in high-volume benign hits from known admin hosts or admin user accounts.
  • Software installers and patch management tools (SCCM, Ansible, Puppet, Chef) frequently invoke ipconfig or netsh during deployment scripts to validate network readiness, triggering IsNativeTool matches on known management infrastructure.
  • Monitoring and observability agents (Datadog, SolarWinds, PRTG) run scheduled network discovery commands via cmd.exe or PowerShell to collect interface metrics, generating recurring hits from the agent service account.
  • Developer workstations running WSL or Docker tooling may invoke ip addr, ip route, or ifconfig via Python or shell scripts as part of container network configuration checks.
  • Security scanning tools (Nessus, Qualys, Rapid7) that enumerate network configuration as part of authenticated vulnerability assessments will match scripted discovery patterns from known scanner IPs.
Download portable Sigma rule (.yml)

Other platforms for T1016

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Network Configuration Enumeration via ipconfig

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.

  2. Test 2ARP Table and Routing Table Bulk Enumeration

    Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.

  3. Test 3PowerShell WMI Network Adapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.

  4. Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.

  5. Test 5Linux Network Configuration Discovery via ip and arp

    Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1016.001Internet Connection DiscoveryT1016.002Wi-Fi DiscoveryT1049System Network Connections DiscoveryT1018Remote System DiscoveryT1046Network Service DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1087Account DiscoveryT1071.001Web ProtocolsT1074.001Local Data Staging

Same Tactic: Discovery

Popular Detections