Keypoints
- Adversaries test Internet access using commands like ping, tracert/traceroute, and HTTP GETs to confirm reachability.
- Results help attackers determine viable paths to C2, identify proxies, and detect network restrictions.
- Monitoring process creation and command-line arguments can reveal connectivity checks early.
- Collect network logs, DNS queries, proxy logs, and web gateway logs to correlate connectivity probes.
- False positives are common; correlate connectivity probes with other suspicious behavior for context.
Description:
- Think of this like a burglar tapping windows and doors to find which ones open to the street before deciding where to enter.
- Adversaries execute simple network tests (ICMP, traceroute, HTTP requests) to confirm external reachability, discover routing or proxy devices, and decide whether to initiate C2 or exfiltration; this informs their next steps and increases operation success.
Detection:
- Log process creation and command-line arguments; alert on use of ping, tracert/traceroute, curl, wget, and unusual HTTP GETs from uncommon hosts.
- Inspect network device and firewall logs for repeated ICMP or traceroute patterns originating from endpoints.
- Monitor DNS query patterns for attempts to resolve external C2 domains or uncommon resolution sequences.
- Collect and review proxy and web gateway logs for unexpected direct HTTP/HTTPS requests from servers or internal assets.
- Use EDR to detect unusual network-related system calls and correlate with process lineage to reduce false positives.
- Implement baseline behavior for systems and trigger alerts on deviations, such as servers that normally have no outbound Internet suddenly making external requests.
- Hunt for sequences: connectivity checks followed by C2-like connections, suspicious scheduled tasks, or credential access attempts to prioritize incidents.
Tactics:
Discovery
Platforms:
ESXi, Linux, Windows, macOS
Data Sources:
Command: Command Execution, Process: Process Creation
Relationship Citations:
(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: NKAbuse SL),(Citation: Mandiant APT29 Eye Spy Email Nov 22),(Citation: Mandiant UNC3890 Aug 2022),(Citation: Mandiant FIN13 Aug 2022),(Citation: Microsoft Actinium February 2022),(Citation: Lunghi Iron Tiger Linux),(Citation: Kaspersky Lyceum October 2021),(Citation: Microsoft NICKEL December 2021),(Citation: Kaspersky QakBot September 2021),(Citation: Security Intelligence More Eggs Aug 2019),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Bitdefender Sardonic Aug 2021),(Citation: DFIR Phosphorus November 2021),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: FoxIT Wocao December 2019),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: Symantec Shuckworm January 2022),(Citation: Secureworks DarkTortilla Aug 2022),(Citation: ESET ComRAT May 2020),(Citation: Cisco LotusBlossom 2025),(Citation: Cisco Operation Layover September 2021),(Citation: McAfee Sharpshooter December 2018),