Detect System Network Configuration Discovery in Sumo Logic CSE
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise.
MITRE ATT&CK
- Tactic
- Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/
Sumo Detection Query
_sourceCategory=*/windows/sysmon OR _sourceCategory=*/windows/wineventlog/security OR _sourceCategory=*/windows/powershell
| where EventCode = 1 OR EventCode = 4688
| parse regex "(?i)(?:Image|New Process Name)\s*:\s*(?P<full_image_path>[^\r\n]+)" nodrop
| parse regex "(?i)(?:CommandLine|Process Command Line)\s*:\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)(?:ParentImage|Creator Process Name)\s*:\s*(?P<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)(?:User|Subject Account Name)\s*:\s*(?P<user_name>[^\r\n]+)" nodrop
| parse regex "(?i)(?:Computer|ComputerName)\s*:\s*(?P<host_name>[^\r\n]+)" nodrop
| parse regex "(?:[/\\\\])(?P<process_name>[^/\\\\\r\n]+\.exe)$" nodrop field=full_image_path
| parse regex "(?:[/\\\\])(?P<parent_name>[^/\\\\\r\n]+\.exe)$" nodrop field=parent_image
| toLowerCase process_name
| toLowerCase parent_name
| where process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe", "netstat.exe",
"netsh.exe", "hostname.exe", "tracert.exe", "pathping.exe")
OR (
process_name in ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"python.exe", "python3.exe")
AND (
command_line matches "(?i)Get-NetIPConfiguration|Get-NetAdapter|Get-NetRoute"
OR command_line matches "(?i)Win32_NetworkAdapterConfiguration|Win32_NetworkAdapter|Get-DnsClientServerAddress"
OR command_line matches "(?i)ipconfig|ifconfig|ip addr|ip route|arp -[an]|arp -"
OR command_line matches "(?i)netstat|route print|nbtstat|netsh interface|esxcli network"
OR command_line matches "(?i)show ip route|show ip interface|networksetup|system_profiler SPNetworkDataType"
)
)
| eval IsNativeTool = if(process_name in ("ipconfig.exe", "arp.exe", "nbtstat.exe", "route.exe",
"netstat.exe", "netsh.exe", "hostname.exe",
"tracert.exe", "pathping.exe"), 1, 0)
| eval IsScriptedDiscovery = if(process_name in ("powershell.exe", "pwsh.exe", "cmd.exe",
"wscript.exe", "cscript.exe"), 1, 0)
| eval SuspiciousParent = if(parent_name in ("winword.exe", "excel.exe", "powerpnt.exe",
"outlook.exe", "mshta.exe", "wscript.exe",
"cscript.exe", "rundll32.exe",
"regsvr32.exe", "msiexec.exe",
"svchost.exe"), 1, 0)
| eval SuspicionScore = IsScriptedDiscovery + SuspiciousParent
| fields _messageTime, host_name, user_name, process_name, command_line,
parent_name, IsNativeTool, IsScriptedDiscovery, SuspiciousParent, SuspicionScore
| sort by _messageTime descDetects T1016 System Network Configuration Discovery in Sumo Logic by parsing Sysmon EventCode 1 and Security EventCode 4688 process creation events across Windows endpoints. Extracts process name, command line, and parent process using regex parsing, then classifies each event as IsNativeTool (direct binary execution), IsScriptedDiscovery (interpreter-mediated), or SuspiciousParent (high-risk parent process). Computes a composite SuspicionScore for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint management platforms (Tanium, BigFix, Ansible Tower) that execute network configuration commands on managed hosts via their agent service accounts will generate high volumes of IsNativeTool hits from known management endpoints; allowlist by user_name or parent_name for these agents.
- Network performance monitoring solutions such as PRTG, SolarWinds NPM, or Dynatrace agents running on Windows hosts periodically call netstat, ipconfig, and arp as part of network topology discovery, triggering this rule on every collection cycle.
- Developer workstations running local Kubernetes clusters (minikube, kind, Docker Desktop) frequently invoke ip addr, netstat, and route commands via scripting interpreters (Python, cmd.exe) to inspect virtual network adapters, creating sustained IsScriptedDiscovery matches for development users.
Other platforms for T1016
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Network Configuration Enumeration via ipconfig
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'ipconfig /all'. Sysmon Event ID 11: File Create at %TEMP%\netconfig.txt. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe spawning ipconfig.exe. Prefetch file IPCONFIG.EXE-*.pf updated.
- Test 2ARP Table and Routing Table Bulk Enumeration
Expected signal: Sysmon Event ID 1: Four separate Process Create events for arp.exe, route.exe, netstat.exe, and nbtstat.exe within seconds of each other, all with parent process cmd.exe. Security Event ID 4688 for each child process. Prefetch files for each tool updated.
- Test 3PowerShell WMI Network Adapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_NetworkAdapterConfiguration'. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI Activity Event in Microsoft-Windows-WMI-Activity/Operational. No ipconfig.exe or arp.exe child process spawned — purely in-process WMI query.
- Test 4PowerShell Get-NetIPConfiguration and Get-NetAdapter Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetIPConfiguration', 'Get-NetAdapter', and 'Get-NetRoute'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet sequence. No child processes spawned. Microsoft-Windows-WMI-Activity/Operational may log underlying WMI calls made by these cmdlets.
- Test 5Linux Network Configuration Discovery via ip and arp
Expected signal: Linux auditd SYSCALL records for execve() calls for ip, arp, and cat with their arguments. Syslog process accounting entries. If auditd is configured with -a exit,always -F arch=b64 -S execve rules, EXECVE records show each command. /proc audit trail for process creation.
References (12)
- https://attack.mitre.org/techniques/T1016/
- https://attack.mitre.org/software/S0100/
- https://attack.mitre.org/software/S0101/
- https://attack.mitre.org/software/S0099/
- https://attack.mitre.org/software/S0102/
- https://attack.mitre.org/software/S0103/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
- https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_recon.yml
Unlock Pro Content
Get the full detection package for T1016 including response playbook, investigation guide, and atomic red team tests.