Rules Contributing to ICMP Based Exfiltration or Tunneling Alert

The following rules are used to identify data exfiltration attempts over ICMP protocol. Any one or more of these will trigger the ICMP Based Exfiltration or Tunneling Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

ICMP Based Exfiltration or Tunneling

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

More details

Rule ID

network_security_1

Query

{'selection_protocol': {'appid_name': 'icmp'}, 'selection_exfiltration': {'metadata|contains': ["tunneling': 2", "tunneling': 1"]}, 'selection_unreachable': {'metadata|contains': 'unreachable'}, 'condition': 'selection_protocol and selection_exfiltration and not selection_unreachable'}

Log Source

Stellar Cyber Network Events configured for:

Requirements: Network/Security/Modular sensor must be able to capture network traffic

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0010, T1048.003

References

N/A

Severity

Suppression Logic Based On

appid_name
srcip
dstip
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2024/07/01	medium	Unknown.