Turla Group Named Pipes

 1title: Turla Group Named Pipes
 2id: 739915e4-1e70-4778-8b8a-17db02f66db1
 3status: test
 4description: Detects a named pipe used by Turla group samples
 5references:
 6    - Internal Research
 7    - https://attack.mitre.org/groups/G0010/
 8author: Markus Neis
 9date: 2017/11/06
10modified: 2021/11/27
11tags:
12    - attack.g0010
13    - attack.execution
14    - attack.t1106
15    - detection.emerging_threats
16logsource:
17    product: windows
18    category: pipe_created
19    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
20detection:
21    selection:
22        PipeName:
23            - '\atctl'    # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
24            - '\comnap'   # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
25            - '\iehelper' # ruag apt case
26            - '\sdlrpc'   # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
27            - '\userpipe' # ruag apt case
28            # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
29    condition: selection
30falsepositives:
31    - Unlikely
32level: critical