sigmamediumHunting

PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

MITRE ATT&CK

T1048.003

exfiltration

Detection Query

selection:
  ScriptBlockText|contains|all:
    - New-Object
    - System.Net.NetworkInformation.Ping
    - .Send(
condition: selection

Author

Bartlomiej Czyz @bczyz1, oscd.community

Created

2020-10-10

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp

Tags

attack.exfiltrationattack.t1048.003

Raw Content

title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: test
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020-10-10
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'System.Net.NetworkInformation.Ping'
            - '.Send('
    condition: selection
falsepositives:
    - Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium