Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得

詳細を見る

Research & Insights

Expert insights from Vectra AI data scientists, product engineers and security researchers empower your SOC analysts to make faster, smarter decisions.

Up-level your SOC with insights from security experts at Vectra AI, based on real-world experiences defending hybrid enterprise environments.

Join our security researchers, data scientists, and analysts as we share 11+ years of security-AI research and expertise with the global cybersecurity community.

See the Vectra AI Platform in action.

See how integrated signal from Vectra AI lets you see and stop sophisticated attacks other technologies miss.

Take the interactive tour

Resources

Breaking news and expert insights

Blue Team Workshops, on-demand webinars and global events near you

Join our security researchers, data scientists, and analysts as we share 11+ years of security-AI research and expertise with the global cybersecurity community.

Research reports, attack anatomies, white papers, guides, datasheets and customer stories

Demo Videos & Tours

See the Vectra AI Platform in action.

See how integrated signal from Vectra AI lets you see and stop sophisticated attacks other technologies miss.

Take the interactive tour

Company

See why we’re the world leader in AI security

Request an intro with a Vectra AI security expert

Deployment guides, knowledge base, release notes and security announcements

Join the team behind the world’s first AI-based cybersecurity platform

Breaking news from Vectra AI

Expert insight from security researchers, data scientists and engineers

Now Playing: 2024 State of Threat Detection and Response

Explore key insights from the 2024 State of Threat Detection and Response report, highlighting defender challenges, AI adoption, and the vendor disconnect.

Back to all detections

Command & Control

ICMP Tunnel

ICMP Tunnel

Possible Root Causes

Example Scenarios

Business Impact

Steps to Investigate

MITRE ATT&CK Techniques

Related Detections

Detection overview

Triggers

A host was observed using ICMP in ways inconsistent with standard implementation of the protocol.
More precisely, a host’s ICMP traffic was observed to contain datagrams which vary in size more frequently than typical ICMP traffic would.
An attacker may be using the host to communicate with or transfer data to an external host.

Possible Root Causes

Malicious Detection

An attacker is using ICMP as a staging and/or control channel. An attacker has established persistence & has chosen ICMP as a backup channel.

Benign Detection

A network device like a vulnerability scanner is crafting nonstandard ICMP datagrams.

Business Impact

The presence of an ICMP tunnel indicates the host was compromised & that an attacker has remote access to the machine.
Recon, data exfiltration, lateral movement, privilege escalation, & establishing a tunnel over a more reliable protocol like HTTPS are all likely next steps.
ICMP tunnels can be stealthy and are often used to evade sophisticated perimeter security controls.

Steps to Verify

Check the destination IP & determine if the observed traffic arrives at a trusted endpoint.
Investigate the host for malware, there may be code present which establishes a C2 channel with another host.

ICMP Tunnel

Possible root causes

Malicious Detection

Benign Detection

ICMP Tunnel

Example scenarios

ICMP Tunnel

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

ICMP Tunnel

Steps to investigate

ICMP Tunnel

MITRE ATT&CK techniques covered

Fallback Channels

Non-Application Layer Protocol

ICMP Tunnel

Related detections

No items found.

FAQs