1. Home
  2. Techniques
  3. Enterprise
  4. System Network Configuration Discovery
  5. Internet Connection Discovery

System Network Configuration Discovery: Internet Connection Discovery

ID Name
T1016.001 Internet Connection Discovery
T1016.002 Wi-Fi Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites, or performing initial speed testing to confirm bandwidth.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

ID: T1016.001
Sub-technique of:  T1016
Tactic: Discovery
Platforms: ESXi, Linux, Windows, macOS
Contributors: Christopher Peacock
Version: 1.2
Created: 17 March 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.[1]
S1066 DarkTortilla

DarkTortilla can check for internet connectivity by issuing HTTP GET requests.[2]
G1016 FIN13

FIN13 has used Ping and tracert for network reconnaissance efforts.[3]
G0061 FIN8

FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.[4]

G0047 Gamaredon Group

Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.[5] Gamaredon Group has searched the ping records to obtain the C2 address and has used ping to search for the C2’s status.[6]

S0597 GoldFinder

GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.[7]
G0125 HAFNIUM

HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.[8]
S1229 Havoc

The Havoc demon can check for a connection to the C2 server from the target machine.[9]
G1001 HEXANE

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.[10]
G0030 Lotus Blossom

Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.[11]
G0059 Magic Hound

Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.[12]

S0284 More_eggs

More_eggs has used HTTP GET requests to check internet connectivity.[13]
S0691 Neoichor

Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.[14]
S1107 NKAbuse

NKAbuse utilizes external services such as ifconfig.me to identify the victim machine's IP address.[15]
C0014 Operation Wocao

During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.[16]
S1228 PUBLOAD

PUBLOAD has identified internet connectivity details through commands such as tracert -h 5 -4 google.com and curl http://myip.ipip.net.[17]
S0650 QakBot

QakBot can measure the download speed on a targeted host.[18]
S0686 QuietSieve

QuietSieve can check C2 connectivity with a ping to 8.8.8.8 (Google public DNS).[19]
S0448 Rising Sun

Rising Sun can test a connection to a specified network IP address over a specified port number.[20]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[7]
S1049 SUGARUSH

SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.[21]
S0663 SysUpdate

SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.[22]

G1018 TA2541

TA2541 has run scripts to check internet connectivity from compromised hosts. [23]
G0010 Turla

Turla has used tracert to check internet connectivity.[24]
G1017 Volt Typhoon

Volt Typhoon has employed Ping to check network connectivity.[25]
S1065 Woody RAT

Woody RAT can make Ping GET HTTP requests to its C2 server at regular intervals for network connectivity checks.[26]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0357 Behavioral Detection of Internet Connection Discovery AN1015

Execution of utilities (e.g., ping, tracert, Test-NetConnection) or scripted methods to test Internet connectivity by interacting with external IPs/domains.
AN1016

Execution of ping, traceroute, or curl/wget against public IPs/domains to verify Internet reachability.
AN1017

Execution of ping, traceroute, or network utility tools to external destinations; may include scutil or system_profiler.
AN1018

Execution of ping, vmkping, or curl from shell or through automation jobs/scripts to verify Internet egress.

References

  1. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  2. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  3. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  4. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  5. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  6. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025.
  7. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  8. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  9. Shivtarkar, N. and Jain, S. (2023, February 14). Havoc Across the Cyberspace. Retrieved August 4, 2025.
  10. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  11. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  12. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  13. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  1. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  2. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
  5. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  6. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  7. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  8. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  9. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  10. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  11. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  12. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  13. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.