Internet Connection Discovery
Internet Connection Discovery [T1016.001]
Last updated
Internet Connection Discovery [T1016.001]
Last updated
Name: Internet Connection Discovery
ID: T1016.001
Tactics:
Technique:
Internet Connection Discovery (T1016.001) is a sub-technique of the Discovery tactic within the MITRE ATT&CK framework. Attackers leverage this method to identify and enumerate details about the victim's internet connectivity and external IP addresses. This information aids adversaries in understanding the target's network topology, external-facing infrastructure, and potential defensive measures, thus enabling them to plan and execute subsequent attack phases more effectively.
Attackers commonly utilize built-in operating system utilities, scripting languages, and custom-developed tools to perform Internet Connection Discovery. The primary goal is to discover the external IP address, network gateways, and DNS configurations of the targeted system.
Common execution methods and mechanisms include:
Operating System Commands and Utilities:
Windows:
ipconfig /all: Reveals detailed network configuration, including DNS servers and gateway information.
nslookup myip.opendns.com resolver1.opendns.com: Queries external DNS servers to determine the external IP address.
curl ifconfig.me or curl icanhazip.com: Retrieves external IP addresses directly from public services.
Linux/macOS:
ifconfig or ip addr: Provides local IP addresses and network interface details.
dig +short myip.opendns.com @resolver1.opendns.com: Queries external DNS servers for external IP.
curl ifconfig.me or curl icanhazip.com: Fetches external-facing IP addresses via public services.
Scripting Languages and Custom Tools:
PowerShell scripts:
Python scripts:
Custom malware or reconnaissance tools specifically designed to enumerate network connectivity and external IP addresses.
Cloud and Container Environments:
Attackers may query metadata services (e.g., AWS EC2 instance metadata) to quickly determine external IP addresses and network settings:
Adversaries use this information to:
Identify external-facing infrastructure.
Determine the victim's geographic location and ISP.
Map network perimeter defenses and external-facing services.
Plan further exploitation, lateral movement, or data exfiltration strategies.
Attackers typically employ Internet Connection Discovery during the early reconnaissance and discovery stages of the attack lifecycle. However, it can also appear in later stages, such as during lateral movement or data exfiltration, when attackers need to confirm external connectivity or identify alternative communication paths.
Common scenarios include:
Initial Reconnaissance and Discovery:
Gathering intelligence about the target environment's external IP addresses and network infrastructure.
Identifying potential entry points or vulnerabilities in external-facing systems.
Persistence and Command-and-Control (C2) Setup:
Confirming internet access and external IP addresses to establish reliable C2 channels.
Determining if outbound connections are permitted or restricted by firewall rules.
Lateral Movement and Escalation:
Enumerating external-facing IP addresses and gateways from compromised internal hosts to identify alternative attack paths.
Exfiltration Planning:
Assessing external connectivity to plan secure channels for data exfiltration.
Detection of Internet Connection Discovery techniques often involves monitoring system commands, network traffic, and anomalous DNS queries. Effective detection methods include:
Command-Line and Process Monitoring:
Monitoring for suspicious execution of commands such as ipconfig, ifconfig, nslookup, curl, wget, and dig.
Identifying unusual scripts or command-line arguments used to query external IP services.
Network Traffic Analysis:
Detecting outbound HTTP/HTTPS requests to known IP-discovery services (e.g., ifconfig.me, icanhazip.com, ipinfo.io).
Alerting on unusual DNS lookups or queries to external DNS resolvers (e.g., resolver1.opendns.com).
Endpoint Detection and Response (EDR) Tools:
Utilizing EDR solutions to detect execution of reconnaissance commands or scripts.
Identifying anomalous process execution patterns and correlating them with known attacker behaviors.
SIEM and Log Analysis:
Correlating logs from firewalls, proxies, and DNS servers to detect anomalous external connectivity checks.
Setting up alerts for frequent or unusual querying of external IP discovery services.
Indicators of Compromise (IoCs):
Frequent DNS queries to external resolvers (e.g., OpenDNS resolver IPs).
HTTP requests to known external IP address discovery services:
ifconfig.me
icanhazip.com
ipinfo.io
api.ipify.org
Execution of suspicious scripts or binaries performing external IP enumeration.
Early detection of Internet Connection Discovery is crucial because it often represents initial reconnaissance or preparation for more severe attacks. Detecting this technique can:
Provide early warning of potential intrusion attempts, enabling proactive defensive measures.
Allow defenders to disrupt attackers' reconnaissance and planning phases before they escalate.
Help organizations understand attacker intent and target selection, improving overall security posture.
Prevent or mitigate subsequent attack stages, such as lateral movement, data exfiltration, or command-and-control establishment.
Possible impacts if left undetected include:
Attackers gaining detailed knowledge of network topology and external-facing infrastructure.
Increased likelihood of successful exploitation, lateral movement, and data exfiltration.
Difficulty in identifying and containing breaches, resulting in prolonged attacker presence and increased damage.
Real-world examples of Internet Connection Discovery in attack scenarios include:
APT Groups and Nation-State Actors:
Advanced Persistent Threat (APT) actors frequently use scripts and built-in utilities to enumerate external IP addresses and network connectivity during initial reconnaissance or lateral movement phases.
Example: APT29 (Cozy Bear) has been observed using PowerShell scripts to query external IP addresses via public services, enabling them to plan subsequent C2 communications.
Commodity Malware and Botnets:
Many malware families (e.g., Emotet, TrickBot) execute commands such as ipconfig /all or perform HTTP requests to external IP discovery services to determine infected hosts' external IP addresses and network details.
Malware operators leverage this information to establish robust C2 channels and evade detection by dynamically adjusting their infrastructure.
Ransomware Attacks:
Ransomware groups often perform Internet Connection Discovery to understand victim networks, identify external IP addresses, and ensure reliable external communication channels for ransom negotiations.
Example: Ryuk ransomware operators have been known to perform external IP enumeration via standard OS commands and scripts prior to encryption and ransom demands.
Penetration Testing and Red Team Engagements:
Ethical hackers and penetration testers commonly use this technique during assessments to map external network infrastructure and identify potential vulnerabilities or misconfigurations.
Tools commonly used include:
Native OS utilities (ipconfig, ifconfig, nslookup, dig, curl, wget).
Open-source reconnaissance scripts (e.g., PowerShell scripts, Python scripts).
Malware-specific reconnaissance modules embedded within larger malware frameworks.
Impacts observed in real-world scenarios include:
Improved attacker persistence and stealth due to detailed knowledge of external network configurations.
Successful establishment of covert communication channels and C2 infrastructure.
Enhanced attacker capability to evade detection and maintain prolonged access to compromised environments.