1. Home
  2. Detection Strategies
  3. Behavioral Detection of Internet Connection Discovery

Behavioral Detection of Internet Connection Discovery

Technique Detected:  Internet Connection Discovery | T1016.001

ID: DET0357
Domains: Enterprise
Analytics: AN1015, AN1016, AN1017, AN1018
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1015

Execution of utilities (e.g., ping, tracert, Test-NetConnection) or scripted methods to test Internet connectivity by interacting with external IPs/domains.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
Network Connection Creation (DC0082) WinEventLog:Security EventCode=5156
Mutable Elements
Field Description
DestinationIP Tunable external IP ranges or domains used to verify Internet access (e.g., 8.8.8.8, example.com)
TimeWindow Cluster rapid test connections with command execution in < 60 seconds
UserContext Filter out known admin/script contexts to reduce false positives

AN1016

Execution of ping, traceroute, or curl/wget against public IPs/domains to verify Internet reachability.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE execve
Network Connection Creation (DC0082) linux:syslog network
Mutable Elements
Field Description
DomainPatterns Regex for common test domains like example.com, google.com
ProtocolType Adjust focus to ICMP, HTTP, or mixed protocol testing

AN1017

Execution of ping, traceroute, or network utility tools to external destinations; may include scutil or system_profiler.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process
Mutable Elements
Field Description
ExecutionFrequency Rare use of ICMP utilities may be tuned based on user/host baselines
EnrichmentLevel Tune data joins with parent process and user activity context

AN1018

Execution of ping, vmkping, or curl from shell or through automation jobs/scripts to verify Internet egress.

Log Sources
Data Component Name Channel
Script Execution (DC0029) esxi:shell None
Process Creation (DC0032) esxi:hostd process
Mutable Elements
Field Description
SSHSessionOrigin Distinguish external SSH sessions from internal admin maintenance
TargetIP Egress test destination may be filtered to known CDNs/test nodes