Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ICMP-C2Exfiltration.

Upgrade to Pro
THREAT-ICMP-C2Exfiltration

Exfiltration Over C2 Channel — Data Exfiltration via ICMP Covert Channel

Exfiltration Last updated:

Tools such as icmpsh, ptunnel, icmptunnel, Nishang's Invoke-PowerShellIcmp, and Cobalt Strike's ICMP beacon exfiltrate collected data by embedding it in the payload of ICMP Echo Request (Type 8) packets and relying on an adversary-controlled listener to reassemble it from Echo Reply traffic. ICMP is exceptionally effective as an exfiltration channel because it is a network-layer control protocol that most firewalls and proxies pass without content inspection or logging, and it requires no application-layer handshake, DNS resolution, or TLS certificate that could be fingerprinted. PLATINUM has been documented using ICMP as a communication and file-transfer channel specifically because it evades traditional network intrusion detection that focuses on TCP/UDP application traffic. Critically, this technique also evades most process-centric EDR network telemetry: Sysmon's Network Connection event (Event ID 3) and Microsoft Defender for Endpoint's DeviceNetworkEvents only monitor TCP/UDP socket activity and do not record raw ICMP traffic at all, so detection here requires visibility from genuinely ICMP-capable network-layer sensors — NGFW/firewall session logs, Zeek/Bro network-tap conn.log, or flow collectors (NetFlow/IPFIX/QFlow). This differs from the generic T1041 base record (which centers on HTTP/DNS beaconing patterns) in that ICMP tunnels are identifiable by a distinct network-layer fingerprint: abnormal session/packet volume to a single destination, oversized payload-per-session inconsistent with diagnostic ping, and sustained session duration outside of standard troubleshooting use.

What is THREAT-ICMP-C2Exfiltration Data Exfiltration via ICMP Covert Channel?

Data Exfiltration via ICMP Covert Channel (THREAT-ICMP-C2Exfiltration) is a sub-technique of Exfiltration Over C2 Channel (T1041) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.

This page provides production-ready detection logic for Data Exfiltration via ICMP Covert Channel, covering the data sources and telemetry it touches: Network Traffic: Network Traffic Content, Network Traffic: Network Connection Creation, NGFW/Firewall session logs (CommonSecurityLog via CEF connector). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let LookbackWindow = 24h;
let MinSessionCount = 200; // sustained tunneling logs far more permitted ICMP sessions than occasional diagnostic pings
let MinAvgBytesPerSession = 100; // default OS ping payload is 32-64 bytes; tunneling tools pad payload well beyond that to carry data
let MinDurationMinutes = 10; // tunnels run continuously rather than as a one-off burst
CommonSecurityLog
| where TimeGenerated > ago(LookbackWindow)
| where Protocol =~ "ICMP"
| where DeviceAction in~ ("allow", "permit", "accept")
| where ipv4_is_private(DestinationIP) == false
| summarize
    SessionCount = count(),
    TotalBytes = sum(SentBytes + ReceivedBytes),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, DestinationIP, DeviceVendor, DeviceProduct
| extend AvgBytesPerSession = TotalBytes / SessionCount
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend IsHighVolume = SessionCount >= MinSessionCount
| extend IsOversizedPayload = AvgBytesPerSession >= MinAvgBytesPerSession
| extend IsSustained = DurationMinutes >= MinDurationMinutes
| extend IcmpScore = tolong(IsHighVolume) + tolong(IsOversizedPayload) + tolong(IsSustained)
| where IcmpScore >= 2
| project FirstSeen, LastSeen, SourceIP, DestinationIP, DeviceVendor, DeviceProduct,
    SessionCount, TotalBytes, AvgBytesPerSession, DurationMinutes, IcmpScore
| sort by IcmpScore desc, SessionCount desc

Detects ICMP-based covert-channel exfiltration using CommonSecurityLog, the Sentinel table populated by CEF-emitting NGFW/firewall connectors (Palo Alto, Fortinet, Check Point, Cisco ASA), which log real ICMP session activity that endpoint EDR telemetry cannot see. Aggregates permitted ICMP sessions per source/destination pair and scores three fingerprints: (1) sustained high session volume inconsistent with a one-off diagnostic ping, (2) average payload bytes per session well above the standard 32-64 byte OS ping default, indicating tunneling tools padding packets to carry data, and (3) session activity sustained over a duration inconsistent with routine troubleshooting. A composite score of 2+ triggers the alert.

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Connection Creation NGFW/Firewall session logs (CommonSecurityLog via CEF connector)

Required Tables

CommonSecurityLog

False Positives

  • Network operations and monitoring teams running legitimate sustained ping-based availability checks (e.g. smokeping, PRTG ICMP sensors) against external endpoints
  • ISP or WAN circuit health-check appliances that continuously ping a small set of external anchor IPs (e.g. 8.8.8.8, 1.1.1.1) for uptime/latency monitoring
  • Path MTU discovery tooling and network diagnostics using oversized ping payloads during legitimate troubleshooting
  • Security tooling itself (vulnerability scanners, network mapping tools) generating high-volume ICMP sweeps as part of authorized scanning

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via ICMP Covert Channel (THREAT-ICMP-C2Exfiltration) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated ICMP Tunneling via Oversized Ping Payload Burst

    Expected signal: CommonSecurityLog (or Zeek conn.log): ~60 permitted ICMP session records between the test host's source IP and 198.51.100.10, each with SentBytes/orig_ip_bytes reflecting the 128-byte payload (well above the 56-byte default), spanning roughly 12 seconds. Sysmon/MDE will NOT show this traffic — that is expected and confirms the endpoint-blind-spot this detection is designed to cover.

  2. Test 2Sustained Single-Destination ICMP Session Simulation

    Expected signal: CommonSecurityLog (or Zeek conn.log): 400 permitted ICMP session records from the test host to 198.51.100.10 spanning approximately 3-4 minutes, with SessionCount and DurationMinutes both elevated relative to normal diagnostic traffic patterns.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ICMP-C2Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections