Back to all updates

over 8 years ago

New samples -- Analyzing ICMP with NetMon

If you came to Black Hat 2017 or follow LogRhythm's Blog, you may have noticed two new posts showing how to use Network Monitor DPA rules for a deep dive into ICMP. 

The first blog shows how to classify the type and code of ICMP traffic. Maybe you could start with this rule and make an interesting hunting or IT Operations dashboard. What would make ICMP traffic suspicious or interesting?  Got a system that is over-pinging?  How about all those timeouts?

The second blog is a great example of a novel threat detection entry. In the blog, we look at identifying the signature of the Nishang based reverse PowerShell tunneling through ICMP. 

Although you can't simply resubmit the blog code, both rules are out there as a starting point for you own entries. Feel free to repurpose the code, add on to the code, or spin it for a scenario that isn't the one described directly in the blogs!

--Rob

Questions?

We're here to help. If you have any questions about the hackathon, post on the discussion forum or email support@devpost.com and we'll respond as soon as we can.