Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-ICMPTunnel.
Upgrade to ProDetect Data Exfiltration via ICMP Tunneling in Google Chronicle
Adversaries encode stolen data inside ICMP echo request/reply payloads to exfiltrate over a protocol that is frequently permitted outbound by firewalls even when all other egress is blocked. Public tools such as icmpsh, ptunnel, hans, and pingtunnel wrap a full bidirectional channel inside ICMP type 8/0 packets, and living-off-the-land variants simply abuse the built-in ping utility with oversized payloads (-l on Windows, -s on Linux/macOS) to smuggle data in repeated pings. This technique is a persistent detection gap because most EDR network telemetry (Microsoft Defender for Endpoint DeviceNetworkEvents, Sysmon Event ID 3, CrowdStrike NetworkConnectIP4) only instruments TCP/UDP connection setup and does not log ICMP traffic at all. Reliable detection therefore requires combining process-level visibility (ping.exe / ping binary invoked with abnormal packet-size or repeat-count flags, or unrecognized ICMP tunneling binaries) with network-layer telemetry from firewalls, NetFlow, or NDR/Zeek sensors that do record ICMP as a protocol.
MITRE ATT&CK
- Tactic
- Exfiltration
YARA-L Detection Query
rule icmp_tunnel_exfiltration {
meta:
author = "df00tech Detection Engineering"
description = "Detects host-level indicators of ICMP tunnel exfiltration: oversized/continuous ping usage or named ICMP tunneling tool execution"
severity = "HIGH"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1048.003"
created = "2026-07-14"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($e.target.process.file.full_path, `(?i)ping\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(-l\s+\d{4,}|-t\b)`)
)
or
re.regex($e.target.process.file.full_path, `(?i)(icmpsh|ptunnel|hans|pingtunnel|icmptunnel)`)
)
condition:
$e
} Chronicle YARA-L 2.0 rule matching PROCESS_LAUNCH UDM events for oversized (-l with 4+ digit byte count) or continuous (-t) ping.exe invocations, and execution of named ICMP tunneling tools (icmpsh, ptunnel, hans, pingtunnel, icmptunnel). This detects the host-visible precursor to an ICMP tunnel; correlate with NETWORK_CONNECTION events where network.ip_protocol = "ICMP" for network-layer confirmation, since standard endpoint UDM ingestion does not typically capture ICMP flow detail.
Data Sources
Required Tables
False Positives & Tuning
- Network engineering teams validating MTU size with large ping payloads
- Legacy monitoring tools using continuous ping for availability checks
Other platforms for THREAT-Exfiltration-ICMPTunnel
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Oversized ICMP Payload via ping.exe
Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe process creation with CommandLine containing '-l 1400 -n 20'. No corresponding DeviceNetworkEvents entry will be generated, since MDE does not log ICMP traffic.
- Test 2Continuous Ping Simulation
Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe with CommandLine containing '-t'.
- Test 3Large ICMP Payload via ping (Linux/macOS)
Expected signal: Auditd EXECVE record for ping with arguments '-s 1400 -c 20 8.8.8.8'. Firewall/NDR sensors will show ICMP echo requests with 1400-byte payloads.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfiltration-ICMPTunnel — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (2)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-DNSTunnel-ExfilDNS Tunneling for Covert Data ExfiltrationUse for network-side DNS visibility — Zeek/Infoblox resolver logs and pcap; catches tunneling from hosts with no endpoint agent.
- THREAT-DNSTunneling-ExfiltrationData Exfiltration via DNS Tunneling ToolsUse for endpoint DNS telemetry — Sysmon EID 22 / MDE DeviceDnsEvents; adds process attribution and tool fingerprints (iodine, dnscat2, DNSExfiltrator).