Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-ICMPTunnel.

Upgrade to Pro
THREAT-Exfiltration-ICMPTunnel

Data Exfiltration via ICMP Tunneling

Exfiltration Last updated:

Adversaries encode stolen data inside ICMP echo request/reply payloads to exfiltrate over a protocol that is frequently permitted outbound by firewalls even when all other egress is blocked. Public tools such as icmpsh, ptunnel, hans, and pingtunnel wrap a full bidirectional channel inside ICMP type 8/0 packets, and living-off-the-land variants simply abuse the built-in ping utility with oversized payloads (-l on Windows, -s on Linux/macOS) to smuggle data in repeated pings. This technique is a persistent detection gap because most EDR network telemetry (Microsoft Defender for Endpoint DeviceNetworkEvents, Sysmon Event ID 3, CrowdStrike NetworkConnectIP4) only instruments TCP/UDP connection setup and does not log ICMP traffic at all. Reliable detection therefore requires combining process-level visibility (ping.exe / ping binary invoked with abnormal packet-size or repeat-count flags, or unrecognized ICMP tunneling binaries) with network-layer telemetry from firewalls, NetFlow, or NDR/Zeek sensors that do record ICMP as a protocol.

What is THREAT-Exfiltration-ICMPTunnel Data Exfiltration via ICMP Tunneling?

Data Exfiltration via ICMP Tunneling (THREAT-Exfiltration-ICMPTunnel) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration via ICMP Tunneling, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// THREAT: ICMP Tunnel Exfiltration
// Signal 1: ping.exe invoked with oversized payload or high-repeat flags (host-level, EDR-visible)
let SuspiciousPing = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ping.exe"
| extend PayloadSize = extract(@"-l\s+(\d+)", 1, ProcessCommandLine)
| extend RepeatFlag = ProcessCommandLine has_any ("-t", "-n 500", "-n 1000")
| where (isnotempty(PayloadSize) and toint(PayloadSize) > 1000) or RepeatFlag
| extend Signal = "OversizedOrContinuousPing"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, Signal;
// Signal 2: known ICMP tunneling tool binaries dropped or executed
let KnownTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("icmpsh", "ptunnel", "hans.exe", "hans", "pingtunnel", "icmptunnel")
| extend Signal = "KnownICMPTunnelTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, Signal;
SuspiciousPing
| union KnownTools
| sort by Timestamp desc
// NOTE: DeviceNetworkEvents does NOT capture ICMP traffic in Microsoft Defender for Endpoint.
// Pair this query with the CommonSecurityLog / firewall-based hunting query below for
// network-layer confirmation of high-volume or high-frequency ICMP flows to public IPs.

Host-level detection for ICMP tunnel exfiltration using Microsoft Defender for Endpoint process telemetry. Signal 1 flags ping.exe invocations with an oversized payload (-l greater than 1000 bytes, versus the 32-byte Windows default) or continuous/high-repeat flags (-t, large -n counts), both hallmarks of data being smuggled through repeated ICMP echo requests. Signal 2 flags execution of named ICMP tunneling utilities (icmpsh, ptunnel, hans, pingtunnel, icmptunnel). Because DeviceNetworkEvents does not log ICMP traffic, this query cannot see the tunnel's network side directly — it must be paired with firewall/NDR telemetry (see the hunting query in the investigation block) for full-chain confirmation.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Network engineers running large-payload ping tests (ping -l 1472) to validate MTU/path fragmentation settings
  • Monitoring tools that use continuous ping (-t) for uptime/latency dashboards
  • Legitimate network troubleshooting scripts that loop ping with high repeat counts

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via ICMP Tunneling (THREAT-Exfiltration-ICMPTunnel) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Oversized ICMP Payload via ping.exe

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe process creation with CommandLine containing '-l 1400 -n 20'. No corresponding DeviceNetworkEvents entry will be generated, since MDE does not log ICMP traffic.

  2. Test 2Continuous Ping Simulation

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe with CommandLine containing '-t'.

  3. Test 3Large ICMP Payload via ping (Linux/macOS)

    Expected signal: Auditd EXECVE record for ping with arguments '-s 1400 -c 20 8.8.8.8'. Firewall/NDR sensors will show ICMP echo requests with 1400-byte payloads.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfiltration-ICMPTunnel — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections