Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[1] |
| S0597 | GoldFinder |
GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.[1] |
| S0284 | More_eggs |
More_eggs has used HTTP GET requests to check internet connectivity.[2] |
| S0650 | QakBot |
QakBot can measure the download speed on a targeted host.[3] |
| G0010 | Turla |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity.