Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
5 Hours |
Deduplication Period |
2 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.
Attacker's Goals
An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.
Investigative actions
- Verify if the host is a newly deployed host.
- Verify if newly services or applications that require network mapping were installed on the initiating host.