A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
More precisely, this host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
An attacker may be using this host as a server to communicate with or transfer data to internal clients.
Possible Root Causes Malicious Detection
An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel. Benign Detection
A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.
Business Impact
The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.
Steps to Verify
Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel: Server
Possible root causes
Malicious Detection
Benign Detection
ICMP Tunnel: Server
Example scenarios
ICMP Tunnel: Server
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.