rules/windows/powershell/powershell_icmp_exfiltration.yml

title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: experimental
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020/10/10
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: windows
    service: powershell
    definition: Script block logging must be enabled
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains|all:
          - 'New-Object'
          - 'System.Net.NetworkInformation.Ping'
          - '.Send('
    condition: selection
falsepositives:
    - Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium
[OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00			`title: PowerShell ICMP Exfiltration`
			`id: 4c4af3cd-2115-479c-8193-6b8bfce9001c`
			`status: experimental`
			`description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp`
			`author: 'Bartlomiej Czyz @bczyz1, oscd.community'`
			`date: 2020/10/10`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1048.003`
			`logsource:`
			`product: windows`
			`service: powershell`
$frack113$ Cleanup PS rules 2021-08-21 09:58:58 +02:00			`definition: Script block logging must be enabled`
[OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00			`detection:`
			`selection:`
			`EventID: 4104`
			`ScriptBlockText\|contains\|all:`
			`- 'New-Object'`
			`- 'System.Net.NetworkInformation.Ping'`
			`- '.Send('`
			`condition: selection`
			`falsepositives:`
			`- Legitimate usage of System.Net.NetworkInformation.Ping class`
[OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00			`level: medium`