PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Sigma rule (View on GitHub)

 1title: PowerShell ICMP Exfiltration
 2id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
 3status: test
 4description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
 7author: 'Bartlomiej Czyz @bczyz1, oscd.community'
 8date: 2020/10/10
 9modified: 2022/12/25
10tags:
11    - attack.exfiltration
12    - attack.t1048.003
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'New-Object'
21            - 'System.Net.NetworkInformation.Ping'
22            - '.Send('
23    condition: selection
24falsepositives:
25    - Legitimate usage of System.Net.NetworkInformation.Ping class
26level: medium

References

Related rules

to-top