detection.wiki

ATT&CK coverage › Technique

System Network Configuration Discovery T1016

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Security-Auditing4688A new process has been created.
Defender-DeviceProcessEvents9001000Process activity (any)
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (9 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4match 3, regex_match 1args, show , state , config , parentdomain
Image4ends_with 4, eq 1, starts_with 1\nltest.exe, \netsh.exe, C:\Program Files\Mozilla Firefox\firefox.exe, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, \WindowsApps\MicrosoftEdge.exe
OriginalFileName3eq 3nltestrk.exe, netsh.exe
FileName1eq 1AdFind.exe
SHA2561eq 1c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
InitiatingProcessFileName1eq 1parentProcesses
DestinationHostname1eq 1, match 1myexternalip.com, bot.whatismyipaddress.com, ipecho.net
ScriptBlockText1eq 1"*ipinfo.io*", "*api.ipify.org*", "*Invoke-RestMethod*"
EventID1eq 14104

Top indicator values (99 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeqnltestrk.exe22
Imageends_with\nltest.exe29
SHA256eqc92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a31
CommandLinematchargs1
InitiatingProcessFileNameeqparentProcesses1
FileNameeqAdFind.exe1
CommandLinematchname=all1
CommandLinematchshow 1
CommandLinematchconfig 12
Imageends_with\netsh.exe116
CommandLinematchrule 1
CommandLinematchfirewall 12
CommandLinematchstate 1
OriginalFileNameeqnetsh.exe114
CommandLinematchnetsh1
CommandLinematch/user1
CommandLinematchquery16
CommandLinematchdsgetdc:1
CommandLinematchparentdomain1
CommandLinematchtrusted_domains1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Splunk 1 rule

Kusto Query Language 2 rules