Suspicious Impacket Pipe Creation - Psexec

 1title: Suspicious Impacket Pipe Creation - Psexec
 2id: 019a9cea-6b05-4ea3-9aa2-f8ff6f9e92d5
 3status: experimental
 4description: Detects named pipes created as a result of Impacket PSExec.py usage. 
 5references:
 6    - https://github.com/fortra/impacket/blob/impacket_0_9_24/examples/psexec.py
 7    - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
 8author: Micah Babinski
 9date: 2023/01/08
10tags:
11    - attack.s0357
12    - attack.execution
13    - attack.t1569
14    - attack.t1569.002
15logsource:
16    category: pipe_created
17    product: windows
18    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
19detection:
20    selection:
21        Image|re: '^c:\\Windows\\[A-Za-z]{8}\.exe$'
22        PipeName|startswith: '\RemCom_'
23    condition: selection
24fields:
25    - Image
26    - PipeName
27falsepositives:
28    - Unknown
29level: high```

References

• impacket/examples/psexec.py at impacket_0_9_24 · fortra/impacket

  

  Impacket is a collection of Python classes for working with network protocols. - fortra/impacket

  
  Read More

• Downloads

  13Cubed Downloads

  
  Read More

Related rules

• Suspicious Impacket PSExec Temp Executable File Creation
• Impacket AtExec Process Activity
• CobaltStrike Service Installations - System
• PowerShell Scripts Installed as Services
• Rundll32 Execution Without Parameters