AN1015: Analytic 1015
Execution of utilities (e.g., ping, tracert, Test-NetConnection) or scripted methods to test Internet connectivity by interacting with external IPs/domains.
Analyst context for executives and security teams
This analytic concerns Windows systems running utilities or scripts such as ping, tracert, or Test-NetConnection to check whether they can reach external IP addresses or domains. For leaders, the value is not that every connectivity test is suspicious; it is that outbound reachability checks can appear during troubleshooting, automation, or adversary validation of network access. The business question is whether the organization can distinguish expected administrative testing from unusual external connectivity probing when it matters during an investigation.
Executive priority
Prioritize this as a coverage-validation item for SOC readiness and incident response triage, not as a standalone high-confidence alert. Executives and security leaders should ask whether Windows endpoint and network telemetry can show which user, host, process, and destination performed external connectivity checks, and whether those records are retained long enough to support incident decisions, audit evidence, and post-incident reconstruction.
Technical view
On Windows, validate visibility into execution of common connectivity utilities and scripted equivalents that interact with external IPs or domains. Because ATT&CK provides no detection logic, tactics, or relationship context for this analytic, SOC teams should treat it as a behavioral signal that needs local baselining. Detection engineering should focus on correlating command or script execution with destination context, initiating user/process, parent process, host role, and timing rather than alerting on utility names alone.
Likely telemetry
- Windows process creation telemetry including command line arguments
- PowerShell or script execution logs where Test-NetConnection or scripted connectivity checks may appear
- Endpoint security telemetry showing process, parent process, user, and host context
- DNS query logs for external domains referenced during connectivity tests
- Network connection or proxy/firewall logs showing outbound attempts to external IPs or domains
Detection direction
- Baseline legitimate administrative and troubleshooting use of ping, tracert, Test-NetConnection, and similar scripted checks on Windows systems.
- Tune for unusual combinations such as unexpected users, uncommon hosts, suspicious parent processes, rare destinations, or repeated checks to external infrastructure.
- Avoid high-severity alerting on utility execution alone; these commands are common and can generate substantial false positives.
- Correlate endpoint execution with DNS and network egress records to confirm whether an external interaction occurred.
- Identify blind spots where command-line logging, PowerShell/script logging, DNS visibility, or outbound network logs are missing or have insufficient retention.
Mitigation priorities
- Ensure Windows endpoint logging captures process execution with command-line detail where appropriate for policy and privacy requirements.
- Maintain network egress visibility through DNS, proxy, firewall, or network connection logging so external reachability checks can be investigated.
- Define expected administrative use cases and approved troubleshooting paths to support faster triage.
- Use least-privilege and administrative access controls to reduce unnecessary ability to run broad troubleshooting or scripted connectivity tests across endpoints.
- Incorporate this behavior into incident response playbooks as supporting evidence, not as a standalone determination of malicious activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows and describes execution of utilities or scripts used to test Internet connectivity by interacting with external IPs or domains. No official detection text, tactics, labels, aliases, or relationship context were provided, so the most defensible use is as a prompt to validate logging and triage workflows around outbound connectivity testing.
This take is limited to the provided official STIX fields and external reference. It does not infer associated techniques, adversary use, active exploitation, impact, or guaranteed detection. Local environment baselines and telemetry quality are required to determine whether this behavior is normal, suspicious, or incident-relevant.
Analytic 1015
Execution of utilities (e.g., ping, tracert, Test-NetConnection) or scripted methods to test Internet connectivity by interacting with external IPs/domains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 60e55e45eeb4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.