<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elastic-Detection-Rule - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/elastic-detection-rule/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 04:44:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/elastic-detection-rule/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detecting Potential ICMP Tunneling Activity for Covert C2 and Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2026-07-icmp-tunneling-detection/</link><pubDate>Sun, 05 Jul 2026 04:44:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-icmp-tunneling-detection/</guid><description>This brief describes a critical network threat where attackers leverage ICMP tunneling, a technique to embed command and control (C2) or exfiltrated data within large ICMP Echo payloads, enabling covert communication channels that bypass traditional firewall rules, posing a significant risk of data theft and unauthorized system control.</description><content:encoded><![CDATA[<p>This threat focuses on the sophisticated evasion technique known as ICMP tunneling, which allows adversaries to establish covert communication channels and exfiltrate data from compromised internal networks. Unlike legitimate ICMP traffic, which typically uses small, fixed-size packets for network diagnostics, ICMP tunneling tools embed malicious commands or exfiltrated data within the data payload section of ICMP Echo Request/Reply packets, significantly increasing their size (e.g., greater than 256 bytes). This method is particularly effective at bypassing network defenses that inspect higher-layer protocols but may overlook or allow ICMP traffic. The technique is often used for persistent command and control (C2) communication or to covertly transfer sensitive information out of a network, making it a critical concern for detection engineers. While no specific actor or campaign is detailed, this detection capability is vital for identifying any group employing this stealthy tactic.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker gains initial access to an internal host through various means, such as exploiting a vulnerable service, a successful phishing campaign, or credential compromise.</li>
<li><strong>Tool Deployment</strong>: Once access is established, the attacker deploys a specialized ICMP tunneling client (e.g., <code>icmptunnel</code>, <code>ptunnel</code>, custom malware) onto the compromised internal system.</li>
<li><strong>Tunnel Client Configuration</strong>: The deployed client is configured with the IP address of an external, attacker-controlled command and control (C2) server.</li>
<li><strong>Covert Channel Establishment</strong>: The internal host initiates ICMP Echo Request (ping) packets directed towards the external C2 server over a network connection.</li>
<li><strong>Data Embedding</strong>: Attacker commands, responses, or exfiltrated data are covertly embedded within the data payload section of these ICMP Echo Request packets, causing their size to be significantly larger than typical, legitimate pings (e.g., exceeding 256 bytes).</li>
<li><strong>Command and Control / Exfiltration</strong>: The external C2 server receives these specially crafted large ICMP packets, extracts the embedded data, and replies with its own embedded commands or data via ICMP Echo Reply packets, maintaining a persistent and covert communication channel for C2 or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful ICMP tunneling allows attackers to maintain stealthy, persistent command and control over compromised internal systems, effectively bypassing common network security policies that might permit outbound ICMP traffic. The primary impact includes unauthorized data exfiltration, where sensitive information can be covertly transferred out of the organization's network. Additionally, it enables attackers to remotely issue commands, deploy further malware, or pivot to other systems, leading to broader network compromise, potential ransomware deployment, or long-term espionage. The covert nature of this communication makes detection challenging, increasing the dwell time of adversaries within the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM solution to detect unusually large ICMP Echo traffic originating from internal hosts to external destinations.</li>
<li>Ensure that your network traffic logs (<code>network_connection</code> category) capture detailed ICMP transaction information, including packet sizes and types, as described in the Elastic setup notes.</li>
<li>Review firewall policies to block or strictly limit outbound ICMP traffic, allowing only necessary types and sizes for approved monitoring paths, as suggested in the &quot;Response and remediation&quot; section.</li>
<li>Investigate alerts from the Sigma rule by identifying the source host and correlating with endpoint telemetry for unusual process activity (e.g., non-standard ping utilities), as outlined in the &quot;Investigating Potential ICMP Tunneling Activity to the Internet&quot; guide.</li>
<li>Regularly validate and update exceptions for known benign sources and destinations generating larger ICMP payloads (e.g., MTU discovery, specific monitoring tools) to minimize false positives, as noted in the &quot;False positive analysis.&quot;</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>network-security</category><category>command-and-control</category><category>data-exfiltration</category><category>icmp-tunneling</category><category>elastic-detection-rule</category></item></channel></rss>