heroui logo

ICMP Redirect Message from Internal Host

Elastic Detection Rules

View Source
Summary
Detects ICMP Redirect messages (IPv4 type 5, IPv6 type 137) emitted from internal hosts, which can indicate adversary-in-the-middle activity and route manipulation. The rule analyzes the network_traffic.icmp data stream and triggers when ICMP redirect types are seen from source IPs within private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or IPv6 local ranges. Redirects should originate from on-path routers; a workstation or server emitting redirects is a strong MITM indicator. The rule maps to MITRE ATT&CK Adversary-in-the-Middle (T1557) under Credential Access. Investigators should verify the redirect source and destination, check for correlated routing changes, and look for DHCP/ARP/LLMNR/NBT-NS indicators that could signify broader MITM activity. Remediation includes isolating unauthorized hosts, disabling ICMP redirects where policy allows, and reviewing DHCP options and default gateway configurations to prevent future route injection.
Categories
  • Network
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1557
Created: 2026-06-25