Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Обнаружение подключения к интернету
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Обнаружение подключения к инте...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

System Network Configuration Discovery:  Обнаружение подключения к интернету

ID Название
.001 Обнаружение подключения к интернету

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites. Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

ID: T1016.001
Относится к технике:  T1016
Тактика(-и): Discovery
Платформы: Linux, macOS, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.0
Дата создания: 17 Mar 2021
Последнее изменение: 25 Mar 2021

Примеры процедур
Название Описание
GoldFinder

GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.(Citation: MSTIC NOBELIUM Mar 2021)
UNC2452

UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)
More_eggs

More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019)
Neoichor

Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=`.(Citation: Microsoft NICKEL December 2021)
SUGARUSH

SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.(Citation: Mandiant UNC3890 Aug 2022)
HEXANE

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021)
QakBot

QakBot can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021)
QuietSieve

QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).(Citation: Microsoft Actinium February 2022)
Gamaredon Group

Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022)
APT29

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)

During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.(Citation: FoxIT Wocao December 2019)
Rising Sun

Rising Sun can test a connection to a specified network IP address over a specified port number.(Citation: McAfee Sharpshooter December 2018)
Turla

Turla has used tracert to check internet connectivity.(Citation: ESET ComRAT May 2020)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.

Ссылки

  1. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  2. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  3. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  4. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  5. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  6. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  7. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  8. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  9. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  10. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  11. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.