Data Exfiltration using ICMP (and how to detect it).

3 min readApr 24, 2022

Intro

Exfiltration, as described in Mitre Tactic TA0010, consists of techniques adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. The exfiltration techniques can include compression and encryption.

Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also involve putting size limits on the transmission.

At the time of this writing, TA0010 includes nine different techniques:

T1020 Automated Exfiltration

T1030 Data Transfer Size Limits

T1048 Exfiltration Over Alternative Protocol

T1041 Exfiltration Over C2 Channel

T1011 Exfiltration Over Other Network Medium

T1052 Exfiltration Over Physical Medium

T1567 Exfiltration Over Web Service

T1029 Scheduled Transfer

T1537 Transfer Data to Cloud Account

Exfiltration typically occurs using the same communication channel established with the C2 server (T1041) over a TCP or UDP socket.

Some PoC detail how data exfiltration can also leverage ICMP flows with a C2 server, using the data payload in ICMP-PING packets (T1048).

The GitHub link above includes scripts written in Python and PowerShell that can be used to upload/download files between a Windows-based compromised machine and a server listening for ICMP requests.

In a data exfiltration operation using ICMP, the receiver, a Linux machine running the python script in receive mode, assembles all the data payloads uploaded from the compromised machine and stores the original file.

The detection of data exfiltration using this method is not easy since it’s hard to tell apart “normal,” legit ICMP traffic from ICMP flows part of an exfiltration attempt. Furthermore, some tools used for endpoint telemetry, such as Sysmon, record TCP/UDP connections but not ICMP flows.

Detection Methods

End-Point

Endpoint Telemetry.
EDR: Wazuh Agent.
Telemetry Sources: Windows Sysinternals, Elastic Packetbeat.

The Windows Sysinternals suite provides valuable tools to show which process uses specific DLL files that relate to ICMP traffic.
We can use listdlls.exe or process explorer to determine which process has these libraries loaded. Suspend them one by one and note when the ICMP traffic stops.

Listdlls.exe -d iphlpapi.dll
PING.EXE pid: 10556
Command line: “C:\Windows\system32\PING.EXE” 127.0.0.1 -n 100Base Size Path
0x000000003b840000 0x3b000 C:\Windows\system32\IPHLPAPI.DLL

Elastic Packetbeat includes logging ICMP flows by default, where records are registered in real-time. This telemetry can be sent to a SIEM for further analysis, including applying detection rules to alert when ICMP transactions are detected that might indicate data exfiltration taking place using this technique.
The metadata used to spot possible anomalies in ICMP traffic is the pair “client_bytes” and “server_bytes” registered by Packetbeat.
In what could be considered a typical ICMP flow in a ping command, both fields will have the same value, as shown here:

ICMP Flow, Normal Ping Traffic (clien_bytes=server_bytes)

However, when a data exfiltration takes place, the values are different:

ICMP Flow — Asymmetric

At SOCFortress, we analyze relevant metadata (DNS queries, public IPs involved in a communication, process hashes, etc.) using threat intel. Any IoC reported by the security feeds used in our threat intel platforms will raise a high-level alert.

Network Perimeter

Other detection options are available at the network perimeter following a similar logic to the previous using Packetbeat.

Detection rules in IDS/IPS tools like Snort or Suricata can also be used to spot discrepancies in the size of the payload for sender and receiver in ICMP transactions.
Finally, advanced traffic analysis tools like Zeek can serve the same purpose.

Do you have any other suggestions on how to detect data exfiltration using ICMP? If so, please comment below.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

Data Exfiltration using ICMP (and how to detect it).

Intro

Detection Methods

Written by SOCFortress

More from SOCFortress

Installing the New Wazuh version 4.4 — The SOCFortress Way

Learn how to deploy the latest version of the Wazuh-Manager, Wazuh-Indexer with full Graylog integration.

Part 10. MISP Threat Intel

Deploy your own threat intel in under 10minutes!

Part 1. Wazuh Indexer — SIEM Backend

Let’s install the backend service that will store our collected security logs, Wazuh-Indexer.

Build Your Own SIEM Stack with Open Source Tools Series

Intro to our Worlds Best SOC Built on Open Source Tools series.

Recommended from Medium

Trying out Wazuh SIEM

Testing several Wazuh features including file integrity monitoring, malware and brute-force detection.

6 Useful Infographics for Threat Intelligence

Visualizing Cybersecurity concepts can be a terrific way to learn more about specific tools, methodologies, and techniques! Here is a post…

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101

Wazuh & Jira Integration

This short guide should help you to integrate Wazuh, a pretty nifty SIEM that we use in our SOC, with Jira, the pretty much de-facto…

Threat Intelligence with MISP: Part 2 — Setting up MISP

Learn how create your own cyber threat intelligence database and information sharing platform by installing and setting up MISP!

Blue Teaming with Wazuh Part 2: Attacks & Alerts

Table of Contents

Top 10 Wazuh OSSEC FIM Check for Malware Detection

When configuring security monitoring on an Ubuntu system in order to identify malicious software with Wazuh platform , you will want to…