T1016.001
System Network Configuration Discovery: Internet Connection Discovery
Description from ATT&CK
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Atomic Tests
Atomic Test #1 - Check internet connection using ping Windows
Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).
Supported Platforms: windows
auto_generated_guid: e184b6bd-fb28-48aa-9a59-13012e33d7dc
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
ping_target | target of the ping | url | 8.8.8.8 |
Attack Commands: Run with command_prompt!
1
ping -n 4 #{ping_target}
Atomic Test #2 - Check internet connection using ping freebsd, linux or macos
Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).
Supported Platforms: macos,linux
auto_generated_guid: be8f4019-d8b6-434c-a814-53123cdcc11e
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
ping_target | target of the ping | url | 8.8.8.8 |
Attack Commands: Run with bash!
1
ping -n 4 #{ping_target}
Atomic Test #3 - Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the ICMP/Ping protocol. The default target is 8.8.8.8 (Google Public DNS).
Supported Platforms: windows
auto_generated_guid: f8160cde-4e16-4c8b-8450-6042d5363eb0
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target | target of the request | string | 8.8.8.8 |
Attack Commands: Run with powershell!
1
Test-NetConnection -ComputerName #{target}
Atomic Test #4 - Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound HTTP (Port 80) access. The default target is www.google.com.
Supported Platforms: windows
auto_generated_guid: 7c35779d-42ec-42ab-a283-6255b28e9d68
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target | target of the request | string | www.google.com |
Attack Commands: Run with powershell!
1
Test-NetConnection -CommonTCPPort HTTP -ComputerName #{target}
Atomic Test #5 - Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound SMB (Port 445) access. The default target is 8.8.8.8.
Supported Platforms: windows
auto_generated_guid: d9c32b3b-7916-45ad-aca5-6c902da80319
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target | target of the request | string | 8.8.8.8 |
Attack Commands: Run with powershell!
1
Test-NetConnection -CommonTCPPort SMB -ComputerName #{target}