Description
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Platforms
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has conducted a network call out to a specific website as part of their initial discovery activit... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used tools including [BITSAdmin](https://attack.mitre.org/software/S0190) to test internet connect... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has ensured web servers in a victim environment are Internet accessible before copying tools or malware... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has tested connectivity between a compromised machine and a C2 server using [Ping](https://at... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Lay... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has performed checks to determine if a victim machine is able to access the Internet.(Citation:... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022) |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has checked for network connectivity from a compromised host using `ping`, including attempts to cont... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>tracert</code> to check internet connectivity.(Citation: ESET ComRAT May 2020) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has employed [Ping](https://attack.mitre.org/software/S0097) to check network connectivity.(Cit... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used the [Ping](https://attack.mitre.org/software/S0097) command to check connectivity to actor-cont... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S0597 | GoldFinder | Malware | [GoldFinder](https://attack.mitre.org/software/S0597) performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and o... |
| S0284 | More_eggs | Malware | [More_eggs](https://attack.mitre.org/software/S0284) has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More E... |
| S0691 | Neoichor | Malware | [Neoichor](https://attack.mitre.org/software/S0691) can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?i... |
| S1049 | SUGARUSH | Malware | [SUGARUSH](https://attack.mitre.org/software/S1049) has checked for internet connectivity from an infected host before attempting to establish a new T... |
| S1107 | NKAbuse | Malware | [NKAbuse](https://attack.mitre.org/software/S1107) utilizes external services such as <code>ifconfig.me</code> to identify the victim machine's IP add... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021) |
| S0686 | QuietSieve | Malware | [QuietSieve](https://attack.mitre.org/software/S0686) can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).(Citation: Microsoft Acti... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) can contact the DNS server operated by Google as part of its C2 establishment process.(Citation: ... |
| S1229 | Havoc | Malware | The [Havoc](https://attack.mitre.org/software/S1229) demon can check for a connection to the C2 server from the target machine.(Citation: Zscaler Havo... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can check for internet connectivity by issuing HTTP GET requests.(Citation: Secureworks DarkTo... |
| S1065 | Woody RAT | Malware | [Woody RAT](https://attack.mitre.org/software/S1065) can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity ... |
| S0448 | Rising Sun | Malware | [Rising Sun](https://attack.mitre.org/software/S0448) can test a connection to a specified network IP address over a specified port number.(Citation: ... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has identified internet connectivity details through commands such as `tracert -h 5 -4 google.com` ... |
Frequently Asked Questions
What is T1016.001 (Internet Connection Discovery)?
T1016.001 is a MITRE ATT&CK technique named 'Internet Connection Discovery'. It belongs to the Discovery tactic(s). Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mi...
How can T1016.001 be detected?
Detection of T1016.001 (Internet Connection Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1016.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1016.001?
Known threat groups using T1016.001 include: Magic Hound, HEXANE, APT29, Gamaredon Group, TA2541, Lotus Blossom, FIN13, HAFNIUM.