Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-ICMPTunnel.

Upgrade to Pro
THREAT-Exfiltration-ICMPTunnel IBM QRadar · QRadar

Detect Data Exfiltration via ICMP Tunneling in IBM QRadar

Adversaries encode stolen data inside ICMP echo request/reply payloads to exfiltrate over a protocol that is frequently permitted outbound by firewalls even when all other egress is blocked. Public tools such as icmpsh, ptunnel, hans, and pingtunnel wrap a full bidirectional channel inside ICMP type 8/0 packets, and living-off-the-land variants simply abuse the built-in ping utility with oversized payloads (-l on Windows, -s on Linux/macOS) to smuggle data in repeated pings. This technique is a persistent detection gap because most EDR network telemetry (Microsoft Defender for Endpoint DeviceNetworkEvents, Sysmon Event ID 3, CrowdStrike NetworkConnectIP4) only instruments TCP/UDP connection setup and does not log ICMP traffic at all. Reliable detection therefore requires combining process-level visibility (ping.exe / ping binary invoked with abnormal packet-size or repeat-count flags, or unrecognized ICMP tunneling binaries) with network-layer telemetry from firewalls, NetFlow, or NDR/Zeek sensors that do record ICMP as a protocol.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  CASE
    WHEN LOWER("Process Name") LIKE '%icmpsh%' OR LOWER("Process Name") LIKE '%ptunnel%'
      OR LOWER("Process Name") LIKE '%hans%' OR LOWER("Process Name") LIKE '%pingtunnel%' THEN 'KnownICMPTunnelTool'
    WHEN LOWER("Process Name") LIKE '%ping.exe%' AND LOWER("Command") LIKE '%-l%' THEN 'OversizedPing'
    WHEN LOWER("Process Name") LIKE '%ping.exe%' AND LOWER("Command") LIKE '%-t%' THEN 'ContinuousPing'
    ELSE 'Other'
  END AS Signal
FROM events
WHERE
  QIDNAME(qid) LIKE '%Process Create%'
  AND (
    LOWER("Process Name") LIKE '%ping.exe%'
    OR LOWER("Process Name") LIKE '%icmpsh%'
    OR LOWER("Process Name") LIKE '%ptunnel%'
    OR LOWER("Process Name") LIKE '%hans%'
    OR LOWER("Process Name") LIKE '%pingtunnel%'
  )
  AND starttime > NOW() - 86400000
UNION
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  username AS Username,
  'N/A' AS ProcessName,
  'ICMP Flow' AS CommandLine,
  'HighVolumeICMPFlow' AS Signal
FROM flows
WHERE
  protocolid = 1
  AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip LIKE '172.16.%')
  AND starttime > NOW() - 86400000
ORDER BY EventTime DESC
high severity medium confidence

QRadar AQL detection combining process-based events (ping.exe with oversized/continuous flags, or named ICMP tunneling tools) with a UNION over the QRadar flows table filtered to protocolid=1 (ICMP) for external destinations, surfacing candidate high-volume ICMP flows since QRadar's standard events table (populated from endpoint/Windows log sources) does not carry ICMP payload detail.

Data Sources

IBM QRadar SIEMWindows Security/Sysmon Event Log (process creation)QRadar Flow Collector (Layer 3/4 flow data, protocolid=1 for ICMP)

Required Tables

eventsflows

False Positives & Tuning

  • Network operations teams running scheduled MTU validation scripts that use large ping payloads
  • Legitimate network monitoring appliances generating regular ICMP flow records to internal and external hosts

Other platforms for THREAT-Exfiltration-ICMPTunnel


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Oversized ICMP Payload via ping.exe

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe process creation with CommandLine containing '-l 1400 -n 20'. No corresponding DeviceNetworkEvents entry will be generated, since MDE does not log ICMP traffic.

  2. Test 2Continuous Ping Simulation

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: ping.exe with CommandLine containing '-t'.

  3. Test 3Large ICMP Payload via ping (Linux/macOS)

    Expected signal: Auditd EXECVE record for ping with arguments '-s 1400 -c 20 8.8.8.8'. Firewall/NDR sensors will show ICMP echo requests with 1400-byte payloads.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfiltration-ICMPTunnel — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections