EXPLORE
← Back to Explore
elastichighTTP

ICMP Redirect Message from Internal Host

Identifies ICMP Redirect messages (type 5 for IPv4, type 137 for IPv6) sourced from an internal IPv4 or IPv6 address. Legitimate redirects are normally sent only by on-path routers. A workstation or server emitting redirects can indicate route manipulation for adversary-in-the-middle activity.

MITRE ATT&CK

credential-access

Detection Query

data_stream.dataset:network_traffic.icmp
  and (network_traffic.icmp.request.type:(5 or 137) or icmp.request.type:(5 or 137))
  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FC00::/7" or "FE80::/10")

Author

Elastic

Created

2026/06/25

Data Sources

Network Trafficlogs-network_traffic.icmp-*

Tags

Domain: NetworkTactic: Credential AccessUse Case: Threat DetectionUse Case: Network Security MonitoringData Source: Network TrafficResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/25"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2026/06/25"

[rule]
author = ["Elastic"]
description = """
Identifies ICMP Redirect messages (type 5 for IPv4, type 137 for IPv6) sourced from an internal IPv4 or IPv6 address.
Legitimate redirects are normally sent only by on-path routers. A workstation or server emitting redirects can indicate
route manipulation for adversary-in-the-middle activity.
"""
from = "now-9m"
index = ["logs-network_traffic.icmp-*"]
language = "kuery"
license = "Elastic License v2"
name = "ICMP Redirect Message from Internal Host"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating ICMP Redirect Message from Internal Host

ICMP Redirect instructs a host to send traffic for a destination through a different next hop. On most enterprise
segments, only infrastructure routers should emit redirects; a user workstation or server doing so is a strong
adversary-in-the-middle indicator.

### Possible investigation steps

- Identify the redirect source in `source.ip` and locate the asset on the VLAN. Confirm whether it is an authorized
  router or gateway.
- Review the redirect target and affected destination in ICMP fields and adjacent flow records to see which routes or
  resolvers were being manipulated.
- Check whether affected clients show DNS, gateway, or VPN routing changes around the alert time.
- Correlate with DHCP, ARP, or LLMNR/NBT-NS alerts on the same segment for combined MITM activity.

### False positive analysis

- Some legacy network appliances, hypervisor gateways, or misconfigured Linux hosts with IP forwarding enabled may
  emit redirects. Maintain exceptions for known router and gateway IPs after validation.
- Lab networks that intentionally test route injection should be scoped out by source subnet.

### Response and remediation

- Isolate the emitting host if it is not an authorized router.
- Disable ICMP redirect acceptance on affected clients where policy allows, and block redirect-generating hosts at the
  access layer.
- Review segment routing, default gateways, and DHCP options for unauthorized changes."""
references = [
    "https://www.rfc-editor.org/rfc/rfc792",
    "https://www.rfc-editor.org/rfc/rfc4443",
    "https://zimperium.com/blog/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild",
]
risk_score = 73
rule_id = "2014ebd8-b847-4cc0-a827-d0d61ec88680"
setup = """## Setup

This rule requires ICMP transaction telemetry from the Elastic network_traffic integration (`network_traffic.icmp`
data stream). Flow-only exporters that do not record ICMP type/code will not satisfy this rule.
"""
severity = "high"
tags = [
    "Domain: Network",
    "Tactic: Credential Access",
    "Use Case: Threat Detection",
    "Use Case: Network Security Monitoring",
    "Data Source: Network Traffic",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset:network_traffic.icmp
  and (network_traffic.icmp.request.type:(5 or 137) or icmp.request.type:(5 or 137))
  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FC00::/7" or "FE80::/10")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1557"
name = "Adversary-in-the-Middle"
reference = "https://attack.mitre.org/techniques/T1557/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"