System Network Configuration Discovery: Internet Connection Discovery
Other sub-techniques of System Network Configuration Discovery (2)
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert
, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Procedure Examples |
|
Name | Description |
---|---|
GoldFinder |
GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.(Citation: MSTIC NOBELIUM Mar 2021) |
UNC2452 |
UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
More_eggs |
More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019) |
Neoichor |
Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id= |
During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
|
Magic Hound |
Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.(Citation: DFIR Phosphorus November 2021) |
SUGARUSH |
SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.(Citation: Mandiant UNC3890 Aug 2022) |
NKAbuse |
NKAbuse utilizes external services such as |
HEXANE |
HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021) |
QakBot |
QakBot can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021) |
APT29 |
APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
QuietSieve |
QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).(Citation: Microsoft Actinium February 2022) |
Gamaredon Group |
Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022) |
SysUpdate |
SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.(Citation: Lunghi Iron Tiger Linux) |
APT29 |
APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
TA2541 |
TA2541 has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Layover September 2021) |
During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.(Citation: FoxIT Wocao December 2019) |
|
Lotus Blossom |
Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.(Citation: Cisco LotusBlossom 2025) |
DarkTortilla |
DarkTortilla can check for internet connectivity by issuing HTTP GET requests.(Citation: Secureworks DarkTortilla Aug 2022) |
Woody RAT |
Woody RAT can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity checks.(Citation: MalwareBytes WoodyRAT Aug 2022) |
FIN13 |
FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022) |
Rising Sun |
Rising Sun can test a connection to a specified network IP address over a specified port number.(Citation: McAfee Sharpshooter December 2018) |
HAFNIUM |
HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.(Citation: Rapid7 HAFNIUM Mar 2021) |
Turla |
Turla has used |
Volt Typhoon |
Volt Typhoon has employed Ping to check network connectivity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
FIN8 |
FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021) |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.
References
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
- Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.