Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Sigma rule (View on GitHub)
1title: Suspicious Network Command
2id: a29c1813-ab1f-4dde-b489-330b952e91ae
3status: test
4description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
7author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
8date: 2021-12-07
9modified: 2025-10-19
10tags:
11 - attack.discovery
12 - attack.t1016
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|re:
19 - 'ipconfig\s+/all'
20 - 'netsh\s+interface show interface'
21 - 'arp\s+-a'
22 - 'nbtstat\s+-n'
23 - 'net\s+config'
24 - 'route\s+print'
25 condition: selection
26falsepositives:
27 - Administrator, hotline ask to user
28level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Firewall Configuration Discovery Via Netsh.EXE
- OpenCanary - SNMP OID Request
- Suspicious Network Connection to IP Lookup Service APIs
- Potential Pikabot Discovery Activity
- System Network Discovery - macOS