legitimate usage of system.net.networkinformation.ping class

t1048
t1048.003
windows
sigma

Techniques

t1048
t1048.003

Sample rules

PowerShell ICMP Exfiltration

source: sigma
technicques:
- t1048
- t1048.003

Description

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - New-Object
  - System.Net.NetworkInformation.Ping
  - .Send(