T1016.001 Internet Connection Discovery
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
| Item | Value |
|---|---|
| ID | T1016.001 |
| Sub-techniques | T1016.001 |
| Tactics | TA0007 |
| Platforms | Linux, Windows, macOS |
| Permissions required | User |
| Version | 1.0 |
| Created | 17 March 2021 |
| Last Modified | 25 March 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.2 |
| G0047 | Gamaredon Group | Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.6 |
| S0597 | GoldFinder | GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.2 |
| S0284 | More_eggs | More_eggs has used HTTP GET requests to check internet connectivity.3 |
| S0691 | Neoichor | Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.1 |
| S0650 | QakBot | QakBot can measure the download speed on a targeted host.4 |
| S0686 | QuietSieve | QuietSieve can check C2 connectivity with a ping to 8.8.8.8 (Google public DNS).5 |
| G0010 | Turla | Turla has used tracert to check internet connectivity.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. ↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩↩
-
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. ↩
-
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩
-
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩