T1016 Splunk · SPL

Detect System Network Configuration Discovery in Splunk

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.

MITRE ATT&CK

Tactic
Discovery
Technique
T1016 System Network Configuration Discovery
Canonical reference
https://attack.mitre.org/techniques/T1016/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\ipconfig.exe" OR Image="*\\arp.exe" OR Image="*\\nbtstat.exe"
   OR Image="*\\route.exe" OR Image="*\\netstat.exe" OR Image="*\\netsh.exe"
   OR Image="*\\hostname.exe" OR Image="*\\tracert.exe" OR Image="*\\pathping.exe"
   OR (Image="*\\powershell.exe" AND (CommandLine="*Get-NetIPConfiguration*" OR CommandLine="*Get-NetAdapter*"
       OR CommandLine="*Get-NetRoute*" OR CommandLine="*Win32_NetworkAdapterConfiguration*"
       OR CommandLine="*Win32_NetworkAdapter*" OR CommandLine="*Get-DnsClientServerAddress*"))
   OR (Image="*\\cmd.exe" AND (CommandLine="*ipconfig*" OR CommandLine="*arp *" OR CommandLine="*nbtstat*"
       OR CommandLine="*route print*" OR CommandLine="*netstat*")))
| eval ToolName=mvindex(split(Image, "\\"), -1)
| eval IsNativeTool=if(match(ToolName, "^(ipconfig|arp|nbtstat|route|netstat|netsh|hostname|tracert|pathping)\.exe$"), 1, 0)
| eval IsScriptedDiscovery=if(match(Image, "powershell\.exe|cmd\.exe") AND match(CommandLine, "Get-Net|Win32_Network|ipconfig|arp |nbtstat|route print|netstat"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|mshta|rundll32|regsvr32|msiexec)\.exe"), 1, 0)
| eval SuspicionScore=IsScriptedDiscovery + SuspiciousParent
| table _time, host, User, ToolName, CommandLine, ParentImage, ParentCommandLine,
        IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort - _time
low severity medium confidence

Detects network configuration discovery using Sysmon Event ID 1 (Process Creation). Monitors native Windows network utilities (ipconfig, arp, nbtstat, route, netstat, netsh, hostname) and scripted equivalents via PowerShell WMI queries and Get-Net* cmdlets. Assigns a suspicion score based on whether discovery is scripted (higher risk) and whether the parent process is a suspicious application such as an Office application or LOLBin.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting
  • IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule
  • Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications
  • Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
  • Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing
Download portable Sigma rule (.yml)

Other platforms for T1016

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Network Configuration Enumeration via ipconfig

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.

  2. Test 2ARP Table and Routing Table Bulk Enumeration

    Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.

  3. Test 3PowerShell WMI Network Adapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.

  4. Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.

  5. Test 5Linux Network Configuration Discovery via ip and arp

    Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1016.001Internet Connection DiscoveryT1016.002Wi-Fi DiscoveryT1049System Network Connections DiscoveryT1018Remote System DiscoveryT1046Network Service DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1087Account DiscoveryT1071.001Web ProtocolsT1074.001Local Data Staging

Same Tactic: Discovery

Popular Detections