Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

System Network Configuration Discovery:  Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites. Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

ID: T1016.001
Sub-technique of:  T1016
Tactic(s): Discovery
Platforms: ESXi, Linux, macOS, Windows
Data Sources: Command: Command Execution, Process: Process Creation
Version: 1.1
Created: 17 Mar 2021
Last Modified: 25 Apr 2025

Procedure Examples

Name Description
GoldFinder

GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.(Citation: MSTIC NOBELIUM Mar 2021)

UNC2452

UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)

More_eggs

More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019)

Neoichor

Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=`.(Citation: Microsoft NICKEL December 2021)

During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)

Magic Hound

Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.(Citation: DFIR Phosphorus November 2021)

SUGARUSH

SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.(Citation: Mandiant UNC3890 Aug 2022)

NKAbuse

NKAbuse utilizes external services such as ifconfig.me to identify the victim machine's IP address.(Citation: NKAbuse SL)

HEXANE

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021)

QakBot

QakBot can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021)

APT29

APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

QuietSieve

QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).(Citation: Microsoft Actinium February 2022)

Gamaredon Group

Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022)

SysUpdate

SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.(Citation: Lunghi Iron Tiger Linux)

APT29

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)

TA2541

TA2541 has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Layover September 2021)

During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.(Citation: FoxIT Wocao December 2019)

Lotus Blossom

Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.(Citation: Cisco LotusBlossom 2025)

DarkTortilla

DarkTortilla can check for internet connectivity by issuing HTTP GET requests.(Citation: Secureworks DarkTortilla Aug 2022)

Woody RAT

Woody RAT can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity checks.(Citation: MalwareBytes WoodyRAT Aug 2022)

FIN13

FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022)

Rising Sun

Rising Sun can test a connection to a specified network IP address over a specified port number.(Citation: McAfee Sharpshooter December 2018)

HAFNIUM

HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.(Citation: Rapid7 HAFNIUM Mar 2021)

Turla

Turla has used tracert to check internet connectivity.(Citation: ESET ComRAT May 2020)

Volt Typhoon

Volt Typhoon has employed Ping to check network connectivity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

FIN8

FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  3. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  4. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  5. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  6. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
  7. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  8. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  9. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  10. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  11. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  12. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  13. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  14. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  15. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  16. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  17. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  18. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  19. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  20. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  21. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  22. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  23. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.