title: Internet Connection Discovery (T1016.001)
id: df00tech-t1016-001
status: experimental
description: "Adversaries may check for Internet connectivity on compromised systems as part of automated discovery. This can be performed using ping, tracert, HTTP GET requests to known websites (e.g., bing.com, google.com, ifconfig.me), or bandwidth/speed tests. Adversaries use the results to confirm C2 reachability, identify proxy servers or redirectors, and determine network routing before establishing full C2 communications."
references:
  - https://attack.mitre.org/techniques/T1016/001/
  - https://df00tech.com/detections/T1016.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1016.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators or network engineers running ping/tracert diagnostics for legitimate troubleshooting
  - "Monitoring and observability agents (Datadog, New Relic, SolarWinds) that periodically check internet reachability"
  - Automated health check scripts in CI/CD pipelines or deployment automation that verify outbound connectivity before deploying updates
  - "Operating system components and update services (Windows Update, Microsoft Defender signature updates) that contact Microsoft infrastructure"
  - Network diagnostic tools used by help desk staff confirming connectivity for remote users
level: medium