Lateral movement
ICMP Tunnel: Server
Detection overview
The "ICMP Tunnel: Server" detection identifies instances where a host within the network is acting as a server using ICMP (Internet Control Message Protocol) in ways that diverge from standard protocol behavior. This detection highlights potential covert channels used for communication, which could indicate that the host has been compromised for command-and-control (C2) activities or data exfiltration.
Triggers
- A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
- More precisely, this host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
- An attacker may be using this host as a server to communicate with or transfer data to internal clients.
Possible Root Causes Malicious Detection
- An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel. Benign Detection
- A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.
Business Impact
- The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
- Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
- ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.
Steps to Verify
- Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
- Investigate the host for malware, there may be code present which establishes a C2 channel with another host.
ICMP Tunnel: Server
Possible root causes
Malicious Detection
Attackers use ICMP as a covert channel for communication with compromised hosts, given its common use in network management and potential to bypass standard security filters. This method may be chosen for staging operations, maintaining persistence, or facilitating data exfiltration without easily detectable application-layer traffic.
Benign Detection
Non-standard ICMP traffic could stem from legitimate network tools or devices such as vulnerability scanners that craft custom ICMP packets for diagnostics. These activities, while valid, might still resemble patterns flagged as suspicious if not previously observed in regular operations.
ICMP Tunnel: Server
Example scenarios
1. Stealthy Data Transfer
An attacker uses ICMP to exfiltrate small, encrypted data segments from a compromised server, avoiding firewall detection.
2. C2 Channel Backup
After a primary C2 channel is disrupted, an attacker switches to ICMP as a fallback communication method for maintaining control over a compromised system.
ICMP Tunnel: Server
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Risk of Remote Access
An attacker using an ICMP tunnel can maintain persistent access to a compromised system, posing a significant risk for continuous network reconnaissance or exploitation.
Potential Data Exfiltration
The use of ICMP for exfiltrating data can occur stealthily, bypassing typical perimeter defenses, leading to unauthorized data transfer and loss.
Undermining of Perimeter Security
ICMP tunneling can undermine security monitoring mechanisms, allowing attackers to bypass firewalls and intrusion detection systems using legitimate-looking traffic.
ICMP Tunnel: Server
Steps to investigate
Examine Destination IPs and Traffic Patterns
Verify if the ICMP traffic destinations align with trusted endpoints or unusual external entities.
Check Host for Malicious Code
Conduct malware scans to detect any code establishing a C2 channel through ICMP or other hidden protocols.
Analyze ICMP Packet Content
Review the contents of ICMP datagrams for signs of encoded data or command instructions, which may indicate tunneling activity.
Cross-Reference with Other Network Logs
Check network logs for correlating anomalies such as unauthorized connections or unusual data transfers associated with the host.
ICMP Tunnel: Server
MITRE ATT&CK techniques covered
FAQs
Why use ICMP for tunneling?
ICMP is commonly allowed through firewalls for network diagnostics, making it a suitable covert channel for attackers to avoid scrutiny.
What tools can create ICMP tunnels?
Utilities like icmpsh, Ptunnel, and custom scripts can be used by attackers to establish such tunnels.
What signs indicate ICMP tunneling?
Look for ICMP packets with abnormal sizes, frequencies, or unexpected destinations that deviate from typical use.
Can ICMP tunneling be blocked?
Yes, by configuring firewalls to filter ICMP payloads or by using more granular inspection tools.
Could tunneling involve other protocols?
Yes, similar methods can use DNS, HTTP(S), or other non-standard channels for hidden communication.
How do attackers utilize ICMP tunnels?
They send commands or exfiltrate data within ICMP payloads, making it difficult for conventional monitoring systems to detect.
Is all irregular ICMP traffic suspicious?
Not necessarily; network tools may send non-standard ICMP for legitimate purposes. Context is essential for assessment.
What should be done if tunneling is confirmed?
Isolate the host, perform a thorough analysis, and review the access logs to identify potential data exposure.
What are common benign triggers for this detection?
Network testing tools, diagnostic applications, and system monitoring utilities may send customized ICMP packets.
Is ICMP tunneling a new technique?
No, it has been used for years as a method to evade standard detection mechanisms.