Turla Group Named Pipes
Detects a named pipe used by Turla group samples
Sigma rule (View on GitHub)
1title: Turla Group Named Pipes
2id: 739915e4-1e70-4778-8b8a-17db02f66db1
3status: test
4description: Detects a named pipe used by Turla group samples
5references:
6 - Internal Research
7author: Markus Neis
8date: 2017-11-06
9modified: 2021-11-27
10tags:
11 - attack.g0010
12 - attack.execution
13 - attack.t1106
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: pipe_created
18 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
19detection:
20 selection:
21 PipeName:
22 - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
23 - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
24 - '\iehelper' # ruag apt case
25 - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
26 - '\userpipe' # ruag apt case
27 # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
28 condition: selection
29falsepositives:
30 - Unlikely
31level: critical
References
Related rules
- Turla Group Commands May 2020
- Turla Group Lateral Movement
- MSMQ Corrupted Packet Encountered
- PaperCut MF/NG Potential Exploitation
- Suspicious Process Spawned by CentreStack Portal AppPool