ID | Technique | Tactic |
---|---|---|
T1095 | Non-Application Layer Protocol | Command And Control |
Detection: Detect Large ICMP Traffic
Description
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Search
1
2| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action
3 from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
4 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version,
5 All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product
6
7| `drop_dm_object_name("All_Traffic")`
8
9| iplocation dest_ip
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `detect_large_icmp_traffic_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Palo Alto Network Traffic | 'pan:traffic' |
'screenconnect_palo_traffic' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
detect_large_icmp_traffic_filter | search * |
detect_large_icmp_traffic_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro detect_large_icmp_traffic_filter
to adjust the byte threshold or add specific IP addresses to an allow list.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
src_ip | system | 25 | No Threat Objects |
dest_ip | system | 25 | No Threat Objects |
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | pan:traffic |
pan:traffic |
Integration | ✅ Passing | Dataset | pan:traffic |
pan:traffic |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1