Command & Control

ICMP Tunnel

ICMP Tunnel

Detection overview

Triggers

  • A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
  • More precisely, a host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
  • An attacker may be using the host to communicate with or transfer data to an external host.

Possible Root Causes

Malicious Detection

  • An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel.

Benign Detection

  • A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.

Business Impact

  • The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
  • Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
  • ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.

Steps to Verify

  • Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
  • Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel

Possible root causes

Malicious Detection

Benign Detection

ICMP Tunnel

Example scenarios

ICMP Tunnel

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

ICMP Tunnel

Steps to investigate

ICMP Tunnel

MITRE ATT&CK techniques covered

ICMP Tunnel

Related detections

No items found.

FAQs