Detect System Network Configuration Discovery in CrowdStrike LogScale
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.
MITRE ATT&CK
- Tactic
- Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/
LogScale Detection Query
#event_simpleName = ProcessRollup2
// Match native network discovery binaries or interpreters running discovery commands
| ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i
OR (
ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript|python|python3)\.exe$/i
AND CommandLine = /(?i)(Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute|Get-DnsClientServerAddress|Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -|netstat|route print|nbtstat|netsh interface|esxcli network|show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType)/
)
// Compute enrichment fields
| IsNativeTool := if(
ImageFileName = /\\(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$/i,
"true", "false"
)
| IsScriptedDiscovery := if(
ImageFileName = /\\(powershell|pwsh|cmd|wscript|cscript)\.exe$/i
AND CommandLine = /(?i)(Get-Net|Win32_Network|ipconfig|ifconfig|arp -|netstat|route print|nbtstat|netsh interface|esxcli)/,
"true", "false"
)
| SuspiciousParent := if(
ParentImageFileName = /\\(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32|msiexec)\.exe$/i,
"true", "false"
)
| SuspicionScore := if(IsScriptedDiscovery = "true", 1, 0) + if(SuspiciousParent = "true", 1, 0)
// Project relevant fields for analyst review
| table(
[
timestamp,
ComputerName,
UserName,
ImageFileName,
CommandLine,
ParentImageFileName,
ParentCommandLine,
IsNativeTool,
IsScriptedDiscovery,
SuspiciousParent,
SuspicionScore,
TargetProcessId,
ContextProcessId
]
)
| sort(timestamp, order = desc)Detects T1016 System Network Configuration Discovery using CrowdStrike LogScale (CQL) against Falcon ProcessRollup2 telemetry. Matches execution of native Windows network enumeration binaries and scripting interpreters running network discovery commands via regex on ImageFileName and CommandLine fields. Computes IsNativeTool, IsScriptedDiscovery, SuspiciousParent, and SuspicionScore enrichment fields for analyst prioritization. Designed for the Falcon SIEM Connector or LogScale direct ingestion of Falcon event stream data.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor self-diagnostics and internal health checks may spawn netstat or ipconfig as child processes on endpoints, generating hits with Falcon-related parent process names that do not match SuspiciousParent but still match IsNativeTool.
- IT helpdesk remote support sessions initiated via Falcon Real Time Response (RTR) where analysts manually run ipconfig, arp, or netstat for live troubleshooting will appear in telemetry with RTR-related parent context; correlate with RTR session logs to suppress.
- Windows Subsystem for Linux (WSL) processes executing ifconfig or ip addr as part of Linux development workflows will generate ProcessRollup2 events matching the native tool regex when the WSL interop bridge spawns Windows-side processes, particularly on developer laptops.
Other platforms for T1016
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Network Configuration Enumeration via ipconfig
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.
- Test 2ARP Table and Routing Table Bulk Enumeration
Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.
- Test 3PowerShell WMI Network Adapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.
- Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.
- Test 5Linux Network Configuration Discovery via ip and arp
Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.
References (12)
- https://attack.mitre.org/techniques/T1016/
- https://attack.mitre.org/software/S0100/
- https://attack.mitre.org/software/S0101/
- https://attack.mitre.org/software/S0099/
- https://attack.mitre.org/software/S0102/
- https://attack.mitre.org/software/S0103/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
- https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_recon.yml
Unlock Pro Content
Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.