Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ICMP-C2Exfiltration.
Upgrade to ProDetect Data Exfiltration via ICMP Covert Channel in Splunk
Tools such as icmpsh, ptunnel, icmptunnel, Nishang's Invoke-PowerShellIcmp, and Cobalt Strike's ICMP beacon exfiltrate collected data by embedding it in the payload of ICMP Echo Request (Type 8) packets and relying on an adversary-controlled listener to reassemble it from Echo Reply traffic. ICMP is exceptionally effective as an exfiltration channel because it is a network-layer control protocol that most firewalls and proxies pass without content inspection or logging, and it requires no application-layer handshake, DNS resolution, or TLS certificate that could be fingerprinted. PLATINUM has been documented using ICMP as a communication and file-transfer channel specifically because it evades traditional network intrusion detection that focuses on TCP/UDP application traffic. Critically, this technique also evades most process-centric EDR network telemetry: Sysmon's Network Connection event (Event ID 3) and Microsoft Defender for Endpoint's DeviceNetworkEvents only monitor TCP/UDP socket activity and do not record raw ICMP traffic at all, so detection here requires visibility from genuinely ICMP-capable network-layer sensors — NGFW/firewall session logs, Zeek/Bro network-tap conn.log, or flow collectors (NetFlow/IPFIX/QFlow). This differs from the generic T1041 base record (which centers on HTTP/DNS beaconing patterns) in that ICMP tunnels are identifiable by a distinct network-layer fingerprint: abnormal session/packet volume to a single destination, oversized payload-per-session inconsistent with diagnostic ping, and sustained session duration outside of standard troubleshooting use.
MITRE ATT&CK
- Tactic
- Exfiltration
SPL Detection Query
index=zeek sourcetype="bro:conn:json" proto="icmp"
| where NOT (cidrmatch("10.0.0.0/8", 'id.resp_h') OR cidrmatch("172.16.0.0/12", 'id.resp_h') OR cidrmatch("192.168.0.0/16", 'id.resp_h') OR cidrmatch("127.0.0.0/8", 'id.resp_h'))
| stats
count as SessionCount,
sum(orig_pkts) as TotalPackets,
sum(orig_ip_bytes + resp_ip_bytes) as TotalBytes,
earliest(ts) as FirstSeen,
latest(ts) as LastSeen
by 'id.orig_h', 'id.resp_h'
| eval AvgBytesPerPacket=round(TotalBytes/TotalPackets, 1)
| eval DurationMinutes=round((LastSeen-FirstSeen)/60, 1)
| eval IsHighVolume=if(TotalPackets>=500, 1, 0)
| eval IsOversizedPayload=if(AvgBytesPerPacket>=100, 1, 0)
| eval IsSustained=if(DurationMinutes>=10, 1, 0)
| eval IcmpScore=IsHighVolume+IsOversizedPayload+IsSustained
| where IcmpScore>=2
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, 'id.orig_h', 'id.resp_h', SessionCount, TotalPackets, TotalBytes, AvgBytesPerPacket, DurationMinutes, IcmpScore
| sort - IcmpScore, - TotalPackets Splunk equivalent scoring model over Zeek/Bro conn.log (proto=icmp), ingested from a network tap or span port. Unlike Sysmon Event ID 3 — which does not record ICMP at all — Zeek's packet-capture-based sensor genuinely observes ICMP traffic and reports real packet/byte counters (orig_pkts, orig_ip_bytes, resp_ip_bytes) per conversation. Flags source/destination pairs with sustained high packet volume, oversized average payload per packet relative to standard diagnostic ping sizes, and sessions sustained well beyond a one-off troubleshooting ping — the combined fingerprint of ICMP tunneling tools such as icmpsh and ptunnel.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate network monitoring tools (smokeping, PRTG) performing sustained ICMP availability checks
- Path MTU discovery and network troubleshooting using oversized ping payloads
- Authorized vulnerability scanning or network mapping generating high-volume ICMP sweeps
Other platforms for THREAT-ICMP-C2Exfiltration
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated ICMP Tunneling via Oversized Ping Payload Burst
Expected signal: CommonSecurityLog (or Zeek conn.log): ~60 permitted ICMP session records between the test host's source IP and 198.51.100.10, each with SentBytes/orig_ip_bytes reflecting the 128-byte payload (well above the 56-byte default), spanning roughly 12 seconds. Sysmon/MDE will NOT show this traffic — that is expected and confirms the endpoint-blind-spot this detection is designed to cover.
- Test 2Sustained Single-Destination ICMP Session Simulation
Expected signal: CommonSecurityLog (or Zeek conn.log): 400 permitted ICMP session records from the test host to 198.51.100.10 spanning approximately 3-4 minutes, with SessionCount and DurationMinutes both elevated relative to normal diagnostic traffic patterns.
References (8)
- https://attack.mitre.org/techniques/T1041/
- https://attack.mitre.org/techniques/T1095/
- https://www.microsoft.com/en-us/security/blog/2017/04/24/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/
- https://github.com/inquisb/icmpsh
- https://github.com/utoni/ptunnel-ng
- https://github.com/samratashok/nishang
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
- https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ICMP-C2Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month