
Summary
This detection rule flags potential ICMP tunneling by identifying ICMP echo traffic (types 8 and 128) from internal hosts to external destinations with unusually large payloads. It relies on the network_traffic.icmp data stream and requires payload visibility (network.bytes >= 256). The rule targets private IPv4 source ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and IPv6 FC00::/7, while excluding common private/destination ranges to reduce noise. A match suggests covert channels or data exfiltration using ICMP echo payloads, a pattern associated with C2 or tunneling. MITRE ATT&CK mappings include T1095 Non-Application Layer Protocol and T1572 Protocol Tunneling under the Command and Control tactic. The rule is labeled with a risk_score of 47 and severity of medium and is powered by the Elastic network_traffic integration requiring ICMP payload data. The query uses new_terms to surface source.ip and destination.ip with a history window of seven days and filters on ICMP types, transport (icmp or ipv6-icmp), internal source ranges, external destination exclusions, and payload size. Investigation should confirm the source host role, assess beacon-like cadence to the same destination, compare payload sizes across conversations for asymmetry, and correlate with endpoint telemetry for non-standard ping tools. False positives include MTU discovery, diagnostic utilities, or cloud health checks that generate larger ICMP payloads; validate against legitimate monitoring sources and documentation. Recommended remediation includes blocking outbound ICMP at the perimeter (or restricting to approved paths), isolating the source host if covert tooling is confirmed, and checking the external destination against threat intelligence before blocking.
Categories
- Network
Data Sources
- Network Traffic
ATT&CK Techniques
- T1572
- T1095
Created: 2026-06-25