Detect Large Outbound ICMP Packets

Description

This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Techniques

Non-Application Layer Protocol

Non-Application Layer Protocol

MITRE Threat Groups

APT29
APT3
FIN6
PLATINUM

Kill Chain Phases

Command and Control

Data Sources

Network Communication

   Help

Detect Large Outbound ICMP Packets Help

In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named internal to the CIDRs that host the company's assets in the assets_by_cidr.csv lookup file, which is located in $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model

   Search

Open in Search