Turla Group Named Pipes

 1title: Turla Group Named Pipes
 2id: 739915e4-1e70-4778-8b8a-17db02f66db1
 3status: test
 4description: Detects a named pipe used by Turla group samples
 5references:
 6    - Internal Research
 7author: Markus Neis
 8date: 2017-11-06
 9modified: 2021-11-27
10tags:
11    - attack.g0010
12    - attack.execution
13    - attack.t1106
14    - detection.emerging-threats
15logsource:
16    product: windows
17    category: pipe_created
18    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
19detection:
20    selection:
21        PipeName:
22            - '\atctl'    # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
23            - '\comnap'   # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
24            - '\iehelper' # ruag apt case
25            - '\sdlrpc'   # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
26            - '\userpipe' # ruag apt case
27            # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
28    condition: selection
29falsepositives:
30    - Unlikely
31level: critical