1. Home
  2. ATT&CK Techniques
  3. T1016.001 Internet Connection Discovery

T1016.001 Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, <code>tracert</code>, and GET requests to websites.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1016.001 Internet Connection Discovery
Comments
Microsoft Sentinel's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1016.001 Internet Connection Discovery
Comments
Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral
References
  1. https://cloud.google.com/security/products/security-operations
  2. https://cloud.google.com/chronicle/docs/secops/secops-overview
  3. https://github.com/chronicle/detection-rules

M365 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1016.001 Internet Connection Discovery
Comments
Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
  1. https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery