Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Validity of DET (Data Exfiltration Toolkit - ICMP Mode)

Can someone let me know if the DET (Data Exfiltration Toolkit - ICMP Mode) is accurately identified by CP?

I am seeing these in the Security Checkup environment from multiple sources that are Meraki Wi-Fi access points.

4 Replies
PhoneBoy
Admin
Admin

Is it an IPS protection that's firing or something else?
Can you provide a sanitized screenshot of what you're seeing?

I don't see a specific IPS protection for this.
I know you can limit ping size using IPS protections.
One of the protections (Max Ping Echo Reply Size) is disabled by default since it has critical performance impact.
Vladimir
Champion
Champion

Certainly:

 

DET detection eventsDET detection events

 

The volume of these events is relatively low, from one to 10 events per day. Server Outbound Bytes seems to be too low to indicate actual exfiltration attempt.

image002.png

 

PhoneBoy
Admin
Admin

Ah yes, I should have checked App Control 😬
Might be worth opening a TAC case with packet captures.
Could be a false positive.
Vladimir
Champion
Champion

Thanks,

 

Not sure if we can during Security Checkup.

I have one more candidate for false-positives: "Repetitive SMB Rename Command Attempts" flagging MS Teams actions all the time.

I have observed the behavior in Teams, when trying to attach an identical file to a different conversation, Teams overrides the previously uploaded one.

Additionally, there are background actions in Teams cache that are causing repetitive renames.

So  we are frequently encountering:

DET_Event.png

SMB_Repetetive_Renames.png

Especially when dealing with redirected folders or network shares in Teams.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events