NullSessionPipe Registry Modification

  1[metadata]
  2creation_date = "2021/03/22"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be
 13indicative of adversary lateral movement preparation by making the added pipe available to everyone.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "NullSessionPipe Registry Modification"
 20references = [
 21    "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
 22    "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
 23]
 24risk_score = 47
 25rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77"
 26severity = "medium"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Lateral Movement",
 32    "Tactic: Defense Evasion",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender for Endpoint",
 37    "Data Source: SentinelOne",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44registry where host.os.type == "windows" and event.type == "change" and
 45registry.path : (
 46    "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
 47    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
 48    "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
 49) and length(registry.data.strings) > 0 and
 50not registry.data.strings : "(empty)"
 51'''
 52note = """## Triage and analysis
 53
 54> **Disclaimer**:
 55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 56
 57### Investigating NullSessionPipe Registry Modification
 58
 59The NullSessionPipe registry setting in Windows defines which named pipes can be accessed without authentication, facilitating anonymous connections. Adversaries may exploit this by modifying the registry to enable lateral movement, allowing unauthorized access to network resources. The detection rule monitors changes to this registry path, flagging modifications that introduce new accessible pipes, which could indicate malicious intent.
 60
 61### Possible investigation steps
 62
 63- Review the registry event details to confirm the specific named pipes added or modified in the NullSessionPipes registry path. Focus on the registry.data.strings field to identify any new or suspicious entries.
 64- Correlate the timestamp of the registry change event with other security events or logs from the same host to identify any concurrent suspicious activities, such as unusual network connections or process executions.
 65- Investigate the user account or process responsible for the registry modification by examining the event data for user context or process identifiers. This can help determine if the change was made by an unauthorized user or malicious process.
 66- Check for any recent alerts or logs related to lateral movement or unauthorized access attempts on the network, focusing on the host where the registry change was detected.
 67- Assess the risk and impact of the modified named pipes by determining if they are commonly used in legitimate operations or if they are known to be exploited by malware or threat actors.
 68
 69### False positive analysis
 70
 71- Legitimate administrative tools or scripts may modify the NullSessionPipe registry setting as part of routine network management. Review the source of the change and verify if it aligns with known administrative activities.
 72- Some network services or applications might require anonymous access to specific pipes for functionality. Identify these services and document them to differentiate between expected and unexpected modifications.
 73- Scheduled tasks or automated deployment scripts could alter the registry setting during updates or installations. Ensure these tasks are documented and verify their legitimacy.
 74- Security software or network monitoring tools might adjust the NullSessionPipe settings for scanning purposes. Confirm with your security team if such tools are in use and adjust the detection rule to exclude these known activities.
 75- Regularly review and update the list of known exceptions in your detection system to prevent alert fatigue and ensure focus on genuine threats.
 76
 77### Response and remediation
 78
 79- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 80- Review the registry changes to identify any unauthorized pipes added to the NullSessionPipes registry key and remove them to restore secure configurations.
 81- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to detect and remove any malicious software that may have been introduced.
 82- Analyze network logs and system event logs to identify any unauthorized access attempts or successful connections made through the modified pipes, and block any suspicious IP addresses or accounts.
 83- Reset credentials for any accounts that may have been compromised or used in conjunction with the unauthorized access to ensure they cannot be reused by adversaries.
 84- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected.
 85- Implement enhanced monitoring and alerting for changes to the NullSessionPipes registry key and similar registry paths to detect and respond to future unauthorized modifications promptly."""
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1021"
 92name = "Remote Services"
 93reference = "https://attack.mitre.org/techniques/T1021/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1021.002"
 96name = "SMB/Windows Admin Shares"
 97reference = "https://attack.mitre.org/techniques/T1021/002/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0008"
103name = "Lateral Movement"
104reference = "https://attack.mitre.org/tactics/TA0008/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1112"
109name = "Modify Registry"
110reference = "https://attack.mitre.org/techniques/T1112/"
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"