sigmalowHunting

Suspicious Network Command

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

MITRE ATT&CK

T1016

discovery

Detection Query

selection:
  CommandLine|re:
    - ipconfig\s+/all
    - netsh\s+interface show interface
    - arp\s+-a
    - nbtstat\s+-n
    - net\s+config
    - route\s+print
condition: selection

Author

frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'

Created

2021-12-07

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows

Tags

attack.discoveryattack.t1016

Raw Content

title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re:
            - 'ipconfig\s+/all'
            - 'netsh\s+interface show interface'
            - 'arp\s+-a'
            - 'nbtstat\s+-n'
            - 'net\s+config'
            - 'route\s+print'
    condition: selection
falsepositives:
    - Administrator, hotline ask to user
level: low