System Network Configuration Discovery: Обнаружение подключения к интернету
Other sub-techniques of System Network Configuration Discovery (1)
ID | Название |
---|---|
.001 | Обнаружение подключения к интернету |
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert
, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Примеры процедур |
|
Название | Описание |
---|---|
GoldFinder |
GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.(Citation: MSTIC NOBELIUM Mar 2021) |
UNC2452 |
UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
More_eggs |
More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019) |
Neoichor |
Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id= |
SUGARUSH |
SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.(Citation: Mandiant UNC3890 Aug 2022) |
HEXANE |
HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021) |
QakBot |
QakBot can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021) |
QuietSieve |
QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).(Citation: Microsoft Actinium February 2022) |
Gamaredon Group |
Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022) |
APT29 |
APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.(Citation: FoxIT Wocao December 2019) |
|
Rising Sun |
Rising Sun can test a connection to a specified network IP address over a specified port number.(Citation: McAfee Sharpshooter December 2018) |
Turla |
Turla has used |
Обнаружение
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.
Ссылки
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.