Apr 24, 2022
Data Exfiltration using ICMP (and how to detect it).
Intro
Exfiltration, as described in Mitre Tactic TA0010, consists of techniques adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. The exfiltration techniques can include compression and encryption.
Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also involve putting size limits on the transmission.
At the time of this writing, TA0010 includes nine different techniques:
T1020 Automated Exfiltration
T1030 Data Transfer Size Limits
T1048 Exfiltration Over Alternative Protocol
T1041 Exfiltration Over C2 Channel
T1011 Exfiltration Over Other Network Medium
T1052 Exfiltration Over Physical Medium
T1567 Exfiltration Over Web Service
T1029 Scheduled Transfer
T1537 Transfer Data to Cloud Account
Exfiltration typically occurs using the same communication channel established with the C2 server (T1041) over a TCP or UDP socket.
Some PoC detail how data exfiltration can also leverage ICMP flows with a C2 server, using the data payload in ICMP-PING packets (T1048).
The GitHub link above includes scripts written in Python and PowerShell that can be used to upload/download files between a Windows-based compromised machine and a server listening for ICMP requests.
In a data exfiltration operation using ICMP, the receiver, a Linux machine running the python script in receive mode, assembles all the data payloads uploaded from the compromised machine and stores the original file.
The detection of data exfiltration using this method is not easy since it’s hard to tell apart “normal,” legit ICMP traffic from ICMP flows part of an exfiltration attempt. Furthermore, some tools used for endpoint telemetry, such as Sysmon, record TCP/UDP connections but not ICMP flows.
Detection Methods
End-Point
Endpoint Telemetry.
EDR: Wazuh Agent.
Telemetry Sources: Windows Sysinternals, Elastic Packetbeat.
The Windows Sysinternals suite provides valuable tools to show which process uses specific DLL files that relate to ICMP traffic.
We can use listdlls.exe or process explorer to determine which process has these libraries loaded. Suspend them one by one and note when the ICMP traffic stops.
Listdlls.exe -d iphlpapi.dll
PING.EXE pid: 10556
Command line: “C:\Windows\system32\PING.EXE” 127.0.0.1 -n 100Base Size Path
0x000000003b840000 0x3b000 C:\Windows\system32\IPHLPAPI.DLL
Elastic Packetbeat includes logging ICMP flows by default, where records are registered in real-time. This telemetry can be sent to a SIEM for further analysis, including applying detection rules to alert when ICMP transactions are detected that might indicate data exfiltration taking place using this technique.
The metadata used to spot possible anomalies in ICMP traffic is the pair “client_bytes” and “server_bytes” registered by Packetbeat.
In what could be considered a typical ICMP flow in a ping command, both fields will have the same value, as shown here:
However, when a data exfiltration takes place, the values are different:
At SOCFortress, we analyze relevant metadata (DNS queries, public IPs involved in a communication, process hashes, etc.) using threat intel. Any IoC reported by the security feeds used in our threat intel platforms will raise a high-level alert.
Network Perimeter
Other detection options are available at the network perimeter following a similar logic to the previous using Packetbeat.
Detection rules in IDS/IPS tools like Snort or Suricata can also be used to spot discrepancies in the size of the payload for sender and receiver in ICMP transactions.
Finally, advanced traffic analysis tools like Zeek can serve the same purpose.
Do you have any other suggestions on how to detect data exfiltration using ICMP? If so, please comment below.
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Platform Demo: https://www.socfortress.co/demo_access.html
