Privilege Escalation via Rogue Named Pipe Impersonation

  1[metadata]
  2creation_date = "2021/10/13"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
 11masquerading as a known named pipe and manipulating a privileged process to connect to it.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Privilege Escalation via Rogue Named Pipe Impersonation"
 18references = [
 19    "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/",
 20    "https://github.com/zcgonvh/EfsPotato",
 21    "https://twitter.com/SBousseaden/status/1429530155291193354",
 22]
 23risk_score = 73
 24rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Privilege Escalation",
 31    "Data Source: Sysmon",
 32    "Resources: Investigation Guide",
 33]
 34timestamp_override = "event.ingested"
 35type = "eql"
 36
 37query = '''
 38file where host.os.type == "windows" and
 39  event.provider == "Microsoft-Windows-Sysmon" and
 40  
 41  /* Named Pipe Creation */
 42  event.code == "17" and
 43  
 44  /* Sysmon truncates the "Pipe" keyword in normal named pipe creation events */
 45  file.name : "\\*\\Pipe\\*"
 46'''
 47
 48note = """## Triage and analysis
 49
 50### Investigating Privilege Escalation via Rogue Named Pipe Impersonation
 51
 52#### Possible investigation steps
 53
 54- What rogue pipe path did the alert preserve?
 55  - Why: the rule references PrintSpoofer and EfsPotato-style abuse, where a controlled pipe can be hidden inside a path that makes a privileged service connect to what appears to be its normal RPC pipe.
 56  - Focus: alert-local `file.name`, `file.path`, or `winlog.event_data.PipeName`, with `event.provider` and `event.code`.
 57  - Implication: escalate when the path embeds `\\pipe\\` after another path segment or mimics a service/RPC pipe tail; benign starts only when exact namespace, creator path, command line, account, and client evidence fit one repeated local IPC workflow on this `host.id`.
 58- Which process and account created the suspicious pipe?
 59  - Focus: same-host creator `process.executable`, `process.command_line`, `user.name`, and `user.domain`.
 60  - Implication: escalate when a service, web worker, script host, or user-writable binary creates the pipe under a low-privileged service identity or account that should not host IPC servers; service-mimic pipe plus suspicious creator is enough while collecting client and impact evidence.
 61  - Hint: pivot by `process.entity_id`; if absent, pair `process.pid` with `host.id` in a tight window. $investigate_0
 62- Do surrounding events corroborate the creator or show a privileged client?
 63  - Focus: same-host Sysmon or Windows records for the same `file.name` or `winlog.event_data.PipeName`, reading `event.code`; pipe-connected events, when ingested, corroborate.
 64  - Hint: same pipe events on the host. $investigate_1
 65  - Implication: escalate when surrounding records show the same creator maintaining the pipe or, if pipe-connected events exist, a SYSTEM, administrator, service-host, or service/RPC client touching it. Missing pipe-connect telemetry is unresolved, not benign.
 66  - Range: alert window plus +/-5 minutes; expand only if the creator lived longer.
 67- Was the pipe followed by elevated execution or token/session abuse?
 68  - Focus: same-host process starts after pipe creation: `process.executable`, `process.command_line`, `user.name`, and `winlog.event_data.ElevatedToken` when Windows Security has token context.
 69  - Hint: process starts on the host around pipe creation. $investigate_2
 70  - Implication: elevated shell, script, service-control, SYSTEM, administrator, or elevated-token activity confirms impact; absence lowers impact only after the pipe path, creator, and client evidence fit one recognized workflow. Missing process-start or token telemetry is unresolved, not benign.
 71- Does the same rogue-pipe pattern show wider tooling or repeated attempts?
 72  - Focus: broaden only after suspicious or unresolved local evidence, using the suspicious `file.name` or `winlog.event_data.PipeName` pattern, creator `process.executable`, `host.id`, and `user.id`.
 73  - Hint: same pipe name or creator executable across recent events. $investigate_3
 74  - Implication: expand scope when the same embedded-pipe pattern, service/RPC-like tail, or creator executable appears across unrelated hosts or users; no recurrence limits scope but does not close the alert.
 75- Escalate when pipe shape plus creator, client, or follow-on evidence supports impersonation; close only when available evidence aligns to one recognized IPC product or authorized test with no contradictory privileged-client or elevated-execution evidence; preserve evidence and escalate when telemetry is missing, mixed, or incomplete.
 76
 77### False positive analysis
 78
 79- Recognized local IPC products, security tools, or in-house services can trigger when they use nested pipe namespaces with `\\pipe\\`. Confirm the exact namespace, creator path and command line, account, client process, and host cohort align to the same product, with no elevated follow-on outside that workflow.
 80- Authorized exploit validation can trigger this rule. Confirm test host, test account, time window, pipe namespace, and launched command match the test plan; privileged-client or elevated-execution evidence beyond the plan is suspicious.
 81- Build exceptions from the minimum confirmed workflow: exact pipe namespace or stable prefix, creator `process.executable` plus command-line pattern, expected `user.id`, and constrained `host.id` or host group. Avoid broad exceptions on `process.name`, service-like pipe tails, or generic `\\pipe\\`.
 82
 83### Response and remediation
 84
 85- If confirmed benign, reverse temporary containment and record the pipe namespace, creator process, account, client process, host scope, and absence of unexpected elevated follow-on activity.
 86- If suspicious but unconfirmed, preserve the alert record, relevant Timeline events, `file.name` or `winlog.event_data.PipeName`, creator `process.entity_id` or `process.pid`, process command lines, Windows Security records, and any spawned process identifiers before containment.
 87- Apply reversible containment before destructive action: isolate or restrict the affected host only when pipe, creator, client, or follow-on evidence indicates active abuse, and weigh critical host roles before isolation.
 88- If confirmed malicious, contain the host and involved account, then terminate or suspend malicious processes only after preserving identifiers and command lines. Reset credentials only when Windows Security or process evidence shows account misuse or exposed privileged sessions.
 89- Eradicate only the exploit tools, scripts, service changes, or payloads identified during the investigation, then address the entry vector that let the creator process run with impersonation-capable privileges.
 90- Post-incident, restrict the privileged service or service account that the investigation showed was coerced or exposed to unnecessary impersonation-capable privileges."""
 91
 92setup = """## Setup
 93
 94This rule requires Sysmon telemetry to be enabled and ingested.
 95
 96Setup instructions: https://ela.st/sysmon-event-pipe-setup
 97"""
 98
 99[rule.investigation_fields]
100field_names = [
101    "@timestamp",
102    "event.provider",
103    "event.code",
104    "host.id",
105    "user.id",
106    "process.executable",
107    "process.command_line",
108    "process.pid",
109    "process.entity_id",
110    "file.name",
111    "file.path",
112    "winlog.event_data.PipeName",
113]
114
115[transform]
116
117[[transform.investigate]]
118label = "Events for the pipe creator process"
119description = ""
120providers = [
121  [
122    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
123    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
124  ],
125  [
126    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
127    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
128  ]
129]
130relativeFrom = "now-1h"
131relativeTo = "now"
132
133[[transform.investigate]]
134label = "Events for the same pipe on this host"
135description = ""
136providers = [
137  [
138    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
139    { excluded = false, field = "file.name", queryType = "phrase", value = "{{file.name}}", valueType = "string" }
140  ],
141  [
142    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
143    { excluded = false, field = "winlog.event_data.PipeName", queryType = "phrase", value = "{{winlog.event_data.PipeName}}", valueType = "string" }
144  ]
145]
146relativeFrom = "now-1h"
147relativeTo = "now"
148
149[[transform.investigate]]
150label = "Process starts on the host near the pipe creation"
151description = ""
152providers = [
153  [
154    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
155    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
156  ]
157]
158relativeFrom = "now-1h"
159relativeTo = "now"
160
161[[transform.investigate]]
162label = "Events for the same pipe or creator executable"
163description = ""
164providers = [
165  [
166    { excluded = false, field = "file.name", queryType = "phrase", value = "{{file.name}}", valueType = "string" }
167  ],
168  [
169    { excluded = false, field = "winlog.event_data.PipeName", queryType = "phrase", value = "{{winlog.event_data.PipeName}}", valueType = "string" }
170  ],
171  [
172    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
173  ]
174]
175relativeFrom = "now-48h/h"
176relativeTo = "now"
177
178[[rule.threat]]
179framework = "MITRE ATT&CK"
180
181[[rule.threat.technique]]
182id = "T1134"
183name = "Access Token Manipulation"
184reference = "https://attack.mitre.org/techniques/T1134/"
185
186[[rule.threat.technique.subtechnique]]
187id = "T1134.001"
188name = "Token Impersonation/Theft"
189reference = "https://attack.mitre.org/techniques/T1134/001/"
190
191[rule.threat.tactic]
192id = "TA0004"
193name = "Privilege Escalation"
194reference = "https://attack.mitre.org/tactics/TA0004/"