T1016.001: Internet Connection Discovery
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_discovery: PT-CR-1687: Unix_Internet_Connection_Discovery: Internet connection check from a Unix host unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
Detection
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may check for Internet connectivity on compromised systems. |
|---|