Data Exfiltration using ICMP (and how to detect it).

Intro

Exfiltration, as described in Mitre Tactic TA0010, consists of techniques adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. The exfiltration techniques can include compression and encryption.

Detection Methods

End-Point

Listdlls.exe -d iphlpapi.dll
PING.EXE pid: 10556
Command line: “C:\Windows\system32\PING.EXE” 127.0.0.1 -n 100
Base Size Path
0x000000003b840000 0x3b000 C:\Windows\system32\IPHLPAPI.DLL
ICMP Flow, Normal Ping Traffic (clien_bytes=server_bytes)
ICMP Flow — Asymmetric
OpenCTI Threat Intel

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).