NullSessionPipe Registry Modification

Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon ·

Share on:

Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/03/22"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be
13indicative of adversary lateral movement preparation by making the added pipe available to everyone.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "NullSessionPipe Registry Modification"
20references = [
21    "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
22    "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
23]
24risk_score = 47
25rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32registry where host.os.type == "windows" and event.type in ("creation", "change") and
33registry.path : (
34    "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
35    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
36) and length(registry.data.strings) > 0
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1021"
44name = "Remote Services"
45reference = "https://attack.mitre.org/techniques/T1021/"
46[[rule.threat.technique.subtechnique]]
47id = "T1021.002"
48name = "SMB/Windows Admin Shares"
49reference = "https://attack.mitre.org/techniques/T1021/002/"
50
51
52
53[rule.threat.tactic]
54id = "TA0008"
55name = "Lateral Movement"
56reference = "https://attack.mitre.org/tactics/TA0008/"
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1112"
62name = "Modify Registry"
63reference = "https://attack.mitre.org/techniques/T1112/"
64
65[rule.threat.tactic]
66id = "TA0005"
67name = "Defense Evasion"
68reference = "https://attack.mitre.org/tactics/TA0005/"

References

A dive into Turla PowerShell usage

ESET researchers show how, in a bid to evade detection, the Turla group leverages PowerShell scripts to inject malware directly into memory.

Read More
Network access Restrict anonymous access to Named Pipes and Shares - Windows 10

Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.

Read More

NullSessionPipe Registry Modification

Elastic rule (View on GitHub)

References

A dive into Turla PowerShell usage

Network access Restrict anonymous access to Named Pipes and Shares - Windows 10

Related rules