Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

A forum post mentioning both botnets and vendor software using the "EEEE..." payload but nothing that mentions sending to the broadcast address. There are some Snort/Suricata rules that match on ICMP and the "EEEE...." payload but for very old CVEs.

It would be nice if the sysinternals tools tracked ICMP but they don't.

If it's a persistent process you may be able to identify it with a netsh trace capture, etl2pcapng and Wireshark. This only provides the process ID. If it's an ephemeral process you would need to track the running processes during the capture to get process name.
Video and slides (11: Automation TIPS & tricks Using Wireshark/tshark in Windows by Megumi Takeshita) available here: Sharkfest '20 presentations

If you can load software on the offending client machine, more detailed process information is available with the (now deprecated) Microsoft Message Analyzer (link to download it from the Internet Archive)

Some articles mention blocking outbound ICMP with a firewall loaded on the client and checking the logs for process information. I found when testing that ICMP from nmap was not blocked or logged.