Privilege Escalation via Rogue Named Pipe Impersonation

  1[metadata]
  2creation_date = "2021/10/13"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/02/25"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
 13masquerading as a known named pipe and manipulating a privileged process to connect to it.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Privilege Escalation via Rogue Named Pipe Impersonation"
 20references = [
 21    "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
 22    "https://github.com/zcgonvh/EfsPotato",
 23    "https://twitter.com/SBousseaden/status/1429530155291193354",
 24]
 25risk_score = 73
 26rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
 27setup = """## Setup
 28
 29Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:
 30`condition equal "contains" and keyword equal "pipe"`
 31
 32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 35`event.ingested` to @timestamp.
 36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 37"""
 38severity = "high"
 39tags = [
 40    "Domain: Endpoint",
 41    "OS: Windows",
 42    "Use Case: Threat Detection",
 43    "Tactic: Privilege Escalation",
 44    "Data Source: Sysmon",
 45    "Resources: Investigation Guide",
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51file where host.os.type == "windows" and
 52  event.provider == "Microsoft-Windows-Sysmon" and
 53  
 54  /* Named Pipe Creation */
 55  event.code == "17" and
 56  
 57  /* Sysmon truncates the "Pipe" keyword in normal named pipe creation events */
 58  file.name : "\\*\\Pipe\\*"
 59'''
 60note = """## Triage and analysis
 61
 62> **Disclaimer**:
 63> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 64
 65### Investigating Privilege Escalation via Rogue Named Pipe Impersonation
 66
 67Named pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities.
 68
 69### Possible investigation steps
 70
 71- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy.
 72- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action.
 73- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges.
 74- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts.
 75- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack.
 76
 77### False positive analysis
 78
 79- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise.
 80- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts.
 81- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity.
 82- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule.
 83- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts.
 84
 85### Response and remediation
 86
 87- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 88- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities.
 89- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems.
 90- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access.
 91- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
 92- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future.
 93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1134"
100name = "Access Token Manipulation"
101reference = "https://attack.mitre.org/techniques/T1134/"
102
103
104[rule.threat.tactic]
105id = "TA0004"
106name = "Privilege Escalation"
107reference = "https://attack.mitre.org/tactics/TA0004/"