DET0357: Behavioral Detection of Internet Connection Discovery
This detection strategy is intended to identify behavior associated with Internet Connection Discovery, where an adversary checks whether a compromised sys...
Analyst context for executives and security teams
This detection strategy is intended to identify behavior associated with Internet Connection Discovery, where an adversary checks whether a compromised system can reach the Internet before attempting further communication. For leaders, the value is not just spotting a ping or web request; it is validating whether the organization can recognize early discovery activity that may precede command-and-control setup or follow-on intrusion activity.
Executive priority
Prioritize this as an early-warning coverage question for SOC and incident response readiness. Internet connectivity checks can occur across Windows, Linux, macOS, and ESXi environments according to the related ATT&CK technique, so leaders should ask whether endpoint and network visibility covers critical user, server, virtualization, and administrative systems. This is also useful audit evidence for demonstrating that discovery-stage behaviors are monitored, not only malware payloads or confirmed exfiltration.
Technical view
ATT&CK provides no official detection text for DET0357, so defenders should derive validation from the related technique T1016.001: Internet Connection Discovery under the Discovery tactic. SOC teams should confirm whether they can observe unusual or contextually suspicious connectivity tests such as ping-like traffic, traceroute-style activity, HTTP GET requests to external sites, or bandwidth/speed-test behavior from systems where that activity is uncommon. Detection engineering should focus on behavioral context: process or user initiating the check, destination reputation or novelty, timing relative to other discovery activity, and whether the host subsequently attempts external communications.
Likely telemetry
- Endpoint process execution telemetry showing network diagnostic utilities or processes initiating outbound checks
- Network flow or proxy logs showing outbound connectivity tests to external destinations
- DNS query logs for domains used during connectivity validation
- Firewall or egress control logs showing allowed or blocked outbound attempts
- HTTP/S proxy metadata for GET requests to external websites
Detection direction
- Validate that detections are scoped to behavior and context, not single commands alone, because legitimate administrators and applications may also test connectivity.
- Tune for unusual initiators, unusual hosts, rare destinations, repeated checks, or connectivity testing shortly before additional outbound communication attempts.
- Correlate with other Discovery-stage telemetry where available to increase confidence and reduce false positives.
- Review visibility gaps on non-user systems, including servers and ESXi environments, because the related technique includes those platforms.
- Because DET0357 has no supplied official detection logic, require local baselining and test data before treating alerts as high confidence.
Mitigation priorities
- Ensure egress monitoring and logging are enabled for critical assets before relying on this strategy operationally.
- Baseline normal administrative and application-driven connectivity testing so the SOC can distinguish expected behavior from suspicious discovery.
- Apply least-privilege and controlled administrative tooling practices to reduce unnecessary diagnostic activity from sensitive systems.
- Use network segmentation and egress control policies to limit which systems can reach the Internet directly.
- Document detection assumptions and telemetry sources for compliance and incident response evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no platforms or tactics specified directly on the object. The practical interpretation comes from its relationship to T1016.001 Internet Connection Discovery, which is a Discovery technique associated with Windows, Linux, macOS, and ESXi.
This take cannot assert specific detection coverage, active exploitation, adversary attribution, or exact analytic logic because those details are not present in the supplied STIX fields. Local environment telemetry, baselines, and control architecture are required to determine operational priority and alert severity.
Behavioral Detection of Internet Connection Discovery
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | This object detects Internet Connection Discovery. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9dac115958e4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0357Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.