This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2020-02-19 08:28 AM

Validity of DET (Data Exfiltration Toolkit - ICMP Mode)

Can someone let me know if the DET (Data Exfiltration Toolkit - ICMP Mode) is accurately identified by CP?

I am seeing these in the Security Checkup environment from multiple sources that are Meraki Wi-Fi access points.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-02-21 05:55 PM

Is it an IPS protection that's firing or something else?
Can you provide a sanitized screenshot of what you're seeing?

I don't see a specific IPS protection for this.
I know you can limit ping size using IPS protections.
One of the protections (Max Ping Echo Reply Size) is disabled by default since it has critical performance impact.
0 Kudos
Vladimir
Champion
Champion
‎2020-02-22 06:38 AM
In response to PhoneBoy

Certainly:

 

DET detection eventsDET detection events

 

The volume of these events is relatively low, from one to 10 events per day. Server Outbound Bytes seems to be too low to indicate actual exfiltration attempt.

image002.png

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-22 12:29 PM
In response to Vladimir

Ah yes, I should have checked App Control 😬
Might be worth opening a TAC case with packet captures.
Could be a false positive.
0 Kudos
Vladimir
Champion
Champion
‎2020-02-24 05:24 AM
In response to PhoneBoy

Thanks,

 

Not sure if we can during Security Checkup.

I have one more candidate for false-positives: "Repetitive SMB Rename Command Attempts" flagging MS Teams actions all the time.

I have observed the behavior in Teams, when trying to attach an identical file to a different conversation, Teams overrides the previously uploaded one.

Additionally, there are background actions in Teams cache that are causing repetitive renames.

So  we are frequently encountering:

DET_Event.png

SMB_Repetetive_Renames.png

Especially when dealing with redirected folders or network shares in Teams.

Preview file
27 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events