T1016 IBM QRadar · QRadar

Detect System Network Configuration Discovery in IBM QRadar

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  "Parent Command Line" AS ParentCommandLine,
  CATEGORYNAME(category) AS Category,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  hostname AS HostName,
  CASE
    WHEN "Process Name" ILIKE '%\\ipconfig.exe'
      OR "Process Name" ILIKE '%\\arp.exe'
      OR "Process Name" ILIKE '%\\nbtstat.exe'
      OR "Process Name" ILIKE '%\\route.exe'
      OR "Process Name" ILIKE '%\\netstat.exe'
      OR "Process Name" ILIKE '%\\netsh.exe'
      OR "Process Name" ILIKE '%\\hostname.exe'
      OR "Process Name" ILIKE '%\\tracert.exe'
      OR "Process Name" ILIKE '%\\pathping.exe'
    THEN 1 ELSE 0
  END AS IsNativeTool,
  CASE
    WHEN ("Process Name" ILIKE '%\\powershell.exe' OR "Process Name" ILIKE '%\\pwsh.exe'
          OR "Process Name" ILIKE '%\\cmd.exe' OR "Process Name" ILIKE '%\\wscript.exe'
          OR "Process Name" ILIKE '%\\cscript.exe')
      AND ("Command Line" ILIKE '%Get-NetIPConfiguration%'
           OR "Command Line" ILIKE '%Get-NetAdapter%'
           OR "Command Line" ILIKE '%Get-NetRoute%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
           OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
           OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
           OR "Command Line" ILIKE '%ipconfig%'
           OR "Command Line" ILIKE '%ifconfig%'
           OR "Command Line" ILIKE '%arp -%'
           OR "Command Line" ILIKE '%netstat%'
           OR "Command Line" ILIKE '%route print%'
           OR "Command Line" ILIKE '%nbtstat%'
           OR "Command Line" ILIKE '%netsh interface%'
           OR "Command Line" ILIKE '%esxcli network%')
    THEN 1 ELSE 0
  END AS IsScriptedDiscovery,
  CASE
    WHEN "Parent Process Name" ILIKE '%\\winword.exe'
      OR "Parent Process Name" ILIKE '%\\excel.exe'
      OR "Parent Process Name" ILIKE '%\\powerpnt.exe'
      OR "Parent Process Name" ILIKE '%\\outlook.exe'
      OR "Parent Process Name" ILIKE '%\\mshta.exe'
      OR "Parent Process Name" ILIKE '%\\rundll32.exe'
      OR "Parent Process Name" ILIKE '%\\regsvr32.exe'
      OR "Parent Process Name" ILIKE '%\\msiexec.exe'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE (
    "Process Name" ILIKE '%\\ipconfig.exe'
    OR "Process Name" ILIKE '%\\arp.exe'
    OR "Process Name" ILIKE '%\\nbtstat.exe'
    OR "Process Name" ILIKE '%\\route.exe'
    OR "Process Name" ILIKE '%\\netstat.exe'
    OR "Process Name" ILIKE '%\\netsh.exe'
    OR "Process Name" ILIKE '%\\hostname.exe'
    OR "Process Name" ILIKE '%\\tracert.exe'
    OR "Process Name" ILIKE '%\\pathping.exe'
    OR (
      (
        "Process Name" ILIKE '%\\powershell.exe'
        OR "Process Name" ILIKE '%\\pwsh.exe'
        OR "Process Name" ILIKE '%\\cmd.exe'
        OR "Process Name" ILIKE '%\\wscript.exe'
        OR "Process Name" ILIKE '%\\cscript.exe'
      )
      AND (
        "Command Line" ILIKE '%Get-NetIPConfiguration%'
        OR "Command Line" ILIKE '%Get-NetAdapter%'
        OR "Command Line" ILIKE '%Get-NetRoute%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapterConfiguration%'
        OR "Command Line" ILIKE '%Win32_NetworkAdapter%'
        OR "Command Line" ILIKE '%Get-DnsClientServerAddress%'
        OR "Command Line" ILIKE '%ipconfig%'
        OR "Command Line" ILIKE '%arp -%'
        OR "Command Line" ILIKE '%netstat%'
        OR "Command Line" ILIKE '%route print%'
        OR "Command Line" ILIKE '%nbtstat%'
        OR "Command Line" ILIKE '%netsh interface%'
        OR "Command Line" ILIKE '%esxcli network%'
      )
    )
  )
  AND LOGSOURCETYPEID IN (12, 215, 352)
ORDER BY starttime DESC
LAST 24 HOURS
medium severity high confidence

Detects T1016 System Network Configuration Discovery via QRadar AQL querying Windows Sysmon (EventCode 1) and Windows Security (EventCode 4688) log sources. Matches native network enumeration executables and scripted discovery via PowerShell or cmd.exe. Computes enrichment fields IsNativeTool, IsScriptedDiscovery, and SuspiciousParent to enable analyst triage. LOGSOURCETYPEID 12 covers Microsoft Windows Security Event Log, 215 covers Sysmon for Windows, 352 covers Microsoft Windows PowerShell.

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) — EventID 4688Sysmon for Windows (LOGSOURCETYPEID 215) — EventID 1Microsoft Windows PowerShell (LOGSOURCETYPEID 352)

Required Tables

events

False Positives & Tuning

  • Automated IT asset inventory and CMDB sync processes (e.g., ServiceNow Discovery, Microsoft SCCM hardware inventory) routinely invoke ipconfig /all, netsh, and netstat via scheduled tasks under SYSTEM or dedicated service accounts, generating high-volume benign hits on managed endpoints.
  • Remote support tools (TeamViewer, ConnectWise, BeyondTrust) and RMM agents frequently run network diagnostics including ipconfig, arp, and tracert as part of remote troubleshooting sessions, which will match on SuspiciousParent if spawned via their agent process.
  • CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing network validation scripts as part of integration test suites will trigger IsScriptedDiscovery when running PowerShell Get-NetAdapter or netstat checks against local network adapters.
Download portable Sigma rule (.yml)

Other platforms for T1016

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Network Configuration Enumeration via ipconfig

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.

  2. Test 2ARP Table and Routing Table Bulk Enumeration

    Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.

  3. Test 3PowerShell WMI Network Adapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.

  4. Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.

  5. Test 5Linux Network Configuration Discovery via ip and arp

    Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1016.001Internet Connection DiscoveryT1016.002Wi-Fi DiscoveryT1049System Network Connections DiscoveryT1018Remote System DiscoveryT1046Network Service DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1087Account DiscoveryT1071.001Web ProtocolsT1074.001Local Data Staging

Same Tactic: Discovery

Popular Detections