title: System Network Configuration Discovery (T1016)
id: df00tech-t1016
status: experimental
description: "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information, including ipconfig/ifconfig, arp, nbtstat, route, and netstat. Adversaries use this information during automated discovery to shape follow-on behaviors, including determining access within the target network and planning lateral movement paths. On ESXi hosts, esxcli commands such as 'esxcli network nic list' and 'esxcli network ip interface ipv4 get' are used. Network device CLIs may also be leveraged (e.g., 'show ip route', 'show ip interface'). Threat actors including Mustang Panda, HEXANE, and malware families such as Pikabot, Dyre, and Olympic Destroyer routinely perform this technique as part of initial reconnaissance after compromise."
references:
  - https://attack.mitre.org/techniques/T1016/
  - https://df00tech.com/detections/T1016
author: df00tech
date: 2026/04/13
tags:
  - attack.t1016
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators and helpdesk staff running ipconfig, arp, or netstat during routine troubleshooting"
  - "IT monitoring agents (SolarWinds, PRTG, Nagios, Datadog) that enumerate network interfaces and routing tables on a schedule"
  - "Software installers and configuration management tools (SCCM, Ansible, Puppet, Chef) that query network settings to configure applications"
  - Security scanners and vulnerability assessment tools that collect host network configuration as part of asset inventory
  - Developer workstations where developers routinely use PowerShell Get-NetIPConfiguration or ip addr for network testing
level: low