Suspicious Impacket Pipe Creation - Psexec
Detects named pipes created as a result of Impacket PSExec.py usage.
Sigma rule (View on GitHub)
1title: Suspicious Impacket Pipe Creation - Psexec
2id: 019a9cea-6b05-4ea3-9aa2-f8ff6f9e92d5
3status: experimental
4description: Detects named pipes created as a result of Impacket PSExec.py usage.
5references:
6 - https://github.com/fortra/impacket/blob/impacket_0_9_24/examples/psexec.py
7 - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
8author: Micah Babinski
9date: 2023/01/08
10tags:
11 - attack.s0357
12 - attack.execution
13 - attack.t1569
14 - attack.t1569.002
15logsource:
16 category: pipe_created
17 product: windows
18 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
19detection:
20 selection:
21 Image|re: '^c:\\Windows\\[A-Za-z]{8}\.exe$'
22 PipeName|startswith: '\RemCom_'
23 condition: selection
24fields:
25 - Image
26 - PipeName
27falsepositives:
28 - Unknown
29level: high```
References
-
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Suspicious Impacket PSExec Temp Executable File Creation
- Impacket AtExec Process Activity
- Impacket AtExec Suspicious Registry Modification
- Impacket AtExec Suspicious Temp File Creation
- Possible Impacket AtExec Activity