PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
Sigma rule (View on GitHub)
1title: PowerShell ICMP Exfiltration
2id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
3status: test
4description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
7author: 'Bartlomiej Czyz @bczyz1, oscd.community'
8date: 2020-10-10
9modified: 2022-12-25
10tags:
11 - attack.exfiltration
12 - attack.t1048.003
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'New-Object'
21 - 'System.Net.NetworkInformation.Ping'
22 - '.Send('
23 condition: selection
24falsepositives:
25 - Legitimate usage of System.Net.NetworkInformation.Ping class
26level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Data Exfiltration with Wget
- Suspicious DNS Query with B64 Encoded String
- Suspicious Outbound SMTP Connections
- Suspicious WebDav Client Execution Via Rundll32.EXE
- WebDav Client Execution Via Rundll32.EXE