icmp packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. as such, it is possible that a large icmp packet could be perfectly legitimate. if large icmp packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. if the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific ip addresses to an allow list.

Techniques

T1095

Sample rules

Detect Large Outbound ICMP Packets

source: splunk
technicques:
- T1095

Description

This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.

Detection logic


| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip 
| `drop_dm_object_name("All_Traffic")` 
| search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| `detect_large_outbound_icmp_packets_filter`