[New Rule] ICMP Redirect Message from Internal Host#6351
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
Adds a new network detection rule to identify ICMP Redirect messages originating from internal hosts, intended to highlight suspicious route manipulation consistent with Adversary-in-the-Middle activity.
Changes:
- Introduces a new KQL (
kuery) rule targeting ICMP Redirect (IPv4 type 5 / IPv6 type 137) events innetwork_traffic.icmp. - Adds an investigation guide, references, and MITRE ATT&CK mapping for Credential Access / Adversary-in-the-Middle.
- Configures rule metadata (indices, lookback window, severity/risk, tags, and
timestamp_override).
|
⛔️ Test failed Results
|
| data_stream.dataset:network_traffic.icmp | ||
| and (network_traffic.icmp.request.type:(5 or 137) or icmp.request.type:(5 or 137)) | ||
| and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FC00::/7" or "FE80::/10") |
There was a problem hiding this comment.
Will the rule trigger FPs since there is no exclusion for legitimate redirects?
There was a problem hiding this comment.
Generally speaking, yes there will likely be some FPs. However, the number would generally be based on whether or not one is using an internal IP address for en route redirects. This can happen, but is not standard. Given that, I expect the default would be to manage those cases with case by case exceptions, will the rule itself still providing value.
|
⛔️ Test failed Results
|
Pull Request
Issue link(s):
Summary - What I changed
Adds a new
querynetwork detection rule that identifies ICMP Redirect messages (IPv4 type 5 and IPv6 type 137) sourced from internal RFC1918 addresses. ICMP Redirects are normally generated by on-path routers, so redirect messages from workstations or servers may indicate route manipulation for adversary-in-the-middle activity.How To Test
RTA and shared data in stack.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist