Lateral movement

ICMP Tunnel: Client

ICMP Tunnel: Client

Detection overview

Triggers

  • A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
  • More precisely, a host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
  • An attacker may be using this host to communicate with or transfer data to an internal host.

Possible Root Causes

Malicious Detection

  • An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel.

Benign Detection

  • A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.

Business Impact

  • The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
  • Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
  • ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.

Steps to Verify

  • Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
  • Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel: Client

Possible root causes

Malicious Detection

Benign Detection

ICMP Tunnel: Client

Example scenarios

ICMP Tunnel: Client

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

ICMP Tunnel: Client

Steps to investigate

ICMP Tunnel: Client

MITRE ATT&CK techniques covered

ICMP Tunnel: Client

Related detections

No items found.

FAQs