System Network Configuration Discovery: Internet Connection Discovery

ID Name
T1422.001 Internet Connection Discovery
T1422.002 Wi-Fi Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using adb shell netstat for Android.[1]

Adversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

ID: T1422.001
Sub-technique of:  T1422
Tactic: Discovery
Platforms: Android, iOS
Version: 1.0
Created: 20 February 2024
Last Modified: 20 February 2024

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can collect device IP address and SIM information.[2]

S0540 Asacub

Asacub can collect various pieces of device network configuration information, such as mobile network operator.[3]


BOULDSPY can collect network information, such as IP address, SIM card info, and Wi-Fi info.[4]

S0529 CarbonSteal

CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.[5]

S0425 Corona Updates

Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.[6]

S0478 EventBot

EventBot can gather device network information.[7]

S0522 Exobot

Exobot can obtain the device’s IMEI, phone number, and IP address.[8]

S0405 Exodus

Exodus One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.[9]

S0509 FakeSpy

FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.[10]

S1093 FlyTrap

FlyTrap can collect IP address and network configuration information.[11]

S1077 Hornbill

Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.[12]


INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).[13]

S0407 Monokle

Monokle checks if the device is connected via Wi-Fi or mobile data.[14]

S0316 Pegasus for Android

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[15]

S0326 RedDrop

RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.[16]


TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[17]

S1056 TianySpy

TianySpy can check to see if WiFi is enabled.[18]

S0427 TrickMo

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[19]

S0506 ViperRAT

ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.[20]


ID Mitigation Description
M1009 Encrypt Network Traffic

Ensure that traffic is encrypted to reduce adversaries’ ability to intercept, decrypt and manipulate traffic.


ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.