- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Validity of DET (Data Exfiltration Toolkit - ICMP ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Validity of DET (Data Exfiltration Toolkit - ICMP Mode)
Can someone let me know if the DET (Data Exfiltration Toolkit - ICMP Mode) is accurately identified by CP?
I am seeing these in the Security Checkup environment from multiple sources that are Meraki Wi-Fi access points.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a sanitized screenshot of what you're seeing?
I don't see a specific IPS protection for this.
I know you can limit ping size using IPS protections.
One of the protections (Max Ping Echo Reply Size) is disabled by default since it has critical performance impact.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly:
The volume of these events is relatively low, from one to 10 events per day. Server Outbound Bytes seems to be too low to indicate actual exfiltration attempt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might be worth opening a TAC case with packet captures.
Could be a false positive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
Not sure if we can during Security Checkup.
I have one more candidate for false-positives: "Repetitive SMB Rename Command Attempts" flagging MS Teams actions all the time.
I have observed the behavior in Teams, when trying to attach an identical file to a different conversation, Teams overrides the previously uploaded one.
Additionally, there are background actions in Teams cache that are causing repetitive renames.
So we are frequently encountering:
Especially when dealing with redirected folders or network shares in Teams.