1. Home
  2. Software
  3. Ping

Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

ID: S0097
Type: TOOL
Version: 1.5
Created: 31 May 2017
Last Modified: 17 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1018 Remote System Discovery

Ping can be used to identify remote systems within a network.[1]

Groups That Use This Software

ID Name References
G0093 GALLIUM

[2]
G1001 HEXANE

[3]
G0004 Ke3chang

[4]
G0061 FIN8

[5]
G0059 Magic Hound

[6]
G0019 Naikon

[7][8]
G0009 Deep Panda

[9]
G0030 Lotus Blossom

Lotus Blossom has used Ping to verify connectivity to remote hosts.[10]
G0102 Wizard Spider

[11][12][13]
G0096 APT41

[14][15][16]
G1022 ToddyCat

[17]
G1017 Volt Typhoon

[18][19]
G0047 Gamaredon Group

[20]
G1054 MirrorFace

[21]
G0045 menuPass

[22][23]

Campaigns

ID Name Description
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries had utilized Ping to enumerate network devices.[24]
C0017 C0017

During C0017, APT41 issued Ping commands to trigger DNS resolutions for data exfiltration, where the output of a reconnaissance command was prepended to subdomains within APT41's Cloudflare C2 infrastructure.[16]
C0018 C0018

During C0018, the threat actors used a PowerShell script to execute Ping commands once every minute against a domain controller.[25]
C0061 Operation Digital Eye

During Operation Digital Eye, threat actors used Ping for reconnaissance.[26]

References

  1. Microsoft. (n.d.). Ping. Retrieved April 8, 2016.
  2. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  3. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  4. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  5. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  6. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  7. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  8. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  9. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  10. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  11. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  12. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  13. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  1. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  2. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  3. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  4. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  5. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  6. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  7. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  8. Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
  9. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  10. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  11. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  12. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  13. Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.