NullSessionPipe Registry Modification
Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/22"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be
13indicative of adversary lateral movement preparation by making the added pipe available to everyone.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "NullSessionPipe Registry Modification"
20references = [
21 "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
22 "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
23]
24risk_score = 47
25rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Lateral Movement",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: SentinelOne",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43registry where host.os.type == "windows" and event.type == "change" and
44registry.path : (
45 "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
46 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
47 "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
48) and length(registry.data.strings) > 0 and
49not registry.data.strings : "(empty)"
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1021"
57name = "Remote Services"
58reference = "https://attack.mitre.org/techniques/T1021/"
59[[rule.threat.technique.subtechnique]]
60id = "T1021.002"
61name = "SMB/Windows Admin Shares"
62reference = "https://attack.mitre.org/techniques/T1021/002/"
63
64
65
66[rule.threat.tactic]
67id = "TA0008"
68name = "Lateral Movement"
69reference = "https://attack.mitre.org/tactics/TA0008/"
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1112"
74name = "Modify Registry"
75reference = "https://attack.mitre.org/techniques/T1112/"
76
77
78[rule.threat.tactic]
79id = "TA0005"
80name = "Defense Evasion"
81reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Local Account TokenFilter Policy Disabled
- RDP Enabled via Registry
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL