1. Home
  2. Techniques
  3. Enterprise
  4. System Network Configuration Discovery
  5. Internet Connection Discovery

System Network Configuration Discovery: Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

ID: T1016.001
Sub-technique of:  T1016
Tactic: Discovery
Platforms: Linux, Windows, macOS
Permissions Required: User
Version: 1.0
Created: 17 March 2021
Last Modified: 25 March 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[1]
G0047 Gamaredon Group

Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.[2]
S0597 GoldFinder

GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.[1]
S0284 More_eggs

More_eggs has used HTTP GET requests to check internet connectivity.[3]
S0691 Neoichor

Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.[4]
S0650 QakBot

QakBot can measure the download speed on a targeted host.[5]
S0686 QuietSieve

QuietSieve can check C2 connectivity with a ping to 8.8.8.8 (Google public DNS).[6]
G0010 Turla

Turla has used tracert to check internet connectivity.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  3. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  4. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  1. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  2. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  3. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.