Lateral movement
ICMP Tunnel: Client
Detection overview
The "ICMP Tunnel: Client" detection indicates that a host is using ICMP (Internet Control Message Protocol) in a non-standard way that could suggest data transmission or command-and-control (C2) communication. This detection points to a potential client-side activity where a compromised host may be initiating communication using ICMP as a covert channel.
Triggers
- A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
- More precisely, a host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
- An attacker may be using this host to communicate with or transfer data to an internal host.
Possible Root Causes
Malicious Detection
- An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel.
Benign Detection
- A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.
Business Impact
- The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
- Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
- ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.
Steps to Verify
- Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
- Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel: Client
Possible root causes
Malicious Detection
Attackers may use ICMP tunnels to establish a hidden communication channel to control compromised machines or exfiltrate data. ICMP, typically allowed for network diagnostic purposes, can be leveraged to bypass firewalls and evade monitoring tools that focus on application-layer traffic.
Benign Detection
In some cases, legitimate software tools, such as network diagnostic utilities or vulnerability scanners, might use ICMP in an unconventional way. These tools can generate unusual ICMP traffic, appearing similar to malicious behavior but with an intended purpose.
ICMP Tunnel: Client
Example scenarios
1. Compromised Workstation Initiating ICMP Traffic
A user's workstation begins sending ICMP packets with varying sizes to an external server, suggesting data transfer or C2 communications.
2. Legitimate Network Scanner Activity
A network administrator runs diagnostic tools that generate ICMP traffic, triggering the detection. Investigation confirms benign activity.
ICMP Tunnel: Client
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Stealthy Remote Control
Compromised systems acting as ICMP clients can be remotely controlled, allowing attackers to perform reconnaissance and facilitate lateral movement.
Potential Data Exfiltration
ICMP tunnels can be used for unauthorized data transfer, which poses significant risks to data confidentiality and integrity.
Weakening of Network Defenses
The use of ICMP tunnels challenges traditional perimeter security solutions, which may not inspect ICMP payloads rigorously.
ICMP Tunnel: Client
Steps to investigate
Review Destination IPs and Traffic Behavior
Check if the destination IPs are associated with known, trusted sources or if they are external and suspicious.
Scan for Malware on the Host
Inspect the client host for malicious software or code capable of establishing C2 channels through ICMP.
Analyze ICMP Packet Structures
Evaluate the content and size variability of ICMP datagrams to identify data encoding or communication patterns.
Review Network Logs for Related Activities
Look for correlated events that might indicate broader lateral movement or additional attempts to compromise other hosts.
ICMP Tunnel: Client
MITRE ATT&CK techniques covered
FAQs
Why is ICMP used for tunneling?
ICMP is generally allowed for diagnostics, making it an attractive channel for attackers to create stealthy communication links.
What should I do if ICMP tunneling is detected?
Investigate the host's behavior, assess the destination and context of the ICMP traffic, and perform malware scans.
Is this detection always an attack?
No, some network tools and diagnostics may trigger this detection without malicious intent.
What tools detect ICMP tunneling?
Advanced network monitoring tools and intrusion detection systems with protocol analysis can help identify ICMP tunneling.
How does this detection align with broader attack strategies?
It often serves as a method for attackers to bypass firewalls and other security measures as part of a broader campaign.
Can ICMP tunneling be legitimate?
Yes, some diagnostic tools may use ICMP in non-standard ways. Verification is needed to differentiate legitimate from malicious use.
What types of payloads indicate tunneling?
Payloads with abnormal sizes, frequent changes, or data encoding can signal tunneling.
How can I mitigate the risk?
Implement network monitoring that inspects ICMP payloads and restricts ICMP traffic where feasible.
Should I block ICMP traffic?
Blocking ICMP can disrupt legitimate diagnostics; instead, consider inspecting ICMP traffic for unusual patterns.
What are common attacker goals with ICMP tunnels?
Typically, they aim for remote control, data exfiltration, or persistent communication with compromised systems.