T1016.001 Internet Connection Discovery
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
| Item | Value |
|---|---|
| ID | T1016.001 |
| Sub-techniques | T1016.001 |
| Tactics | TA0007 |
| Platforms | Linux, Windows, macOS |
| Permissions required | User |
| Version | 1.0 |
| Created | 17 March 2021 |
| Last Modified | 25 March 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1066 | DarkTortilla | DarkTortilla can check for internet connectivity by issuing HTTP GET requests.8 |
| G0047 | Gamaredon Group | Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.15 |
| S0597 | GoldFinder | GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.4 |
| G0125 | HAFNIUM | HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.11 |
| G1001 | HEXANE | HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.12 |
| G0059 | Magic Hound | Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.14 |
| S0284 | More_eggs | More_eggs has used HTTP GET requests to check internet connectivity.1 |
| S0691 | Neoichor | Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.2 |
| C0014 | Operation Wocao | During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.16 |
| S0650 | QakBot | QakBot can measure the download speed on a targeted host.10 |
| S0686 | QuietSieve | QuietSieve can check C2 connectivity with a ping to 8.8.8.8 (Google public DNS).6 |
| S0448 | Rising Sun | Rising Sun can test a connection to a specified network IP address over a specified port number.9 |
| C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.4 |
| S1049 | SUGARUSH | SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.7 |
| S0663 | SysUpdate | SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.5 |
| G0010 | Turla | Turla has used tracert to check internet connectivity.13 |
| S1065 | Woody RAT | Woody RAT can make Ping GET HTTP requests to its C2 server at regular intervals for network connectivity checks.3 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. ↩
-
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. ↩
-
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. ↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩↩
-
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩
-
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. ↩
-
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. ↩
-
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. ↩
-
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. ↩
-
Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. ↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩
-
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩