Lateral movement

ICMP Tunnel: Server

ICMP Tunnel: Server

Detection overview

Triggers

  • A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
  • More precisely, this host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
  • An attacker may be using this host as a server to communicate with or transfer data to internal clients.

Possible Root Causes Malicious Detection

  • An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel. Benign Detection
  • A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.

Business Impact

  • The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
  • Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
  • ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.

Steps to Verify

  • Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
  • Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel: Server

Possible root causes

Malicious Detection

Benign Detection

ICMP Tunnel: Server

Example scenarios

ICMP Tunnel: Server

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

ICMP Tunnel: Server

Steps to investigate

ICMP Tunnel: Server

MITRE ATT&CK techniques covered

ICMP Tunnel: Server

Related detections

No items found.

FAQs