First Time Seen Remote Named Pipe - Zeek
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Sigma rule (View on GitHub)
1title: First Time Seen Remote Named Pipe - Zeek
2id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
3related:
4 - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
5 type: derived
6status: test
7description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
8references:
9 - https://twitter.com/menasec1/status/1104489274387451904
10author: Samir Bousseaden, @neu5ron, Tim Shelton
11date: 2020-04-02
12modified: 2022-12-27
13tags:
14 - attack.lateral-movement
15 - attack.t1021.002
16logsource:
17 product: zeek
18 service: smb_files
19detection:
20 selection:
21 path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
22 filter_keywords:
23 - 'samr'
24 - 'lsarpc'
25 - 'winreg'
26 - 'netlogon'
27 - 'srvsvc'
28 - 'protected_storage'
29 - 'wkssvc'
30 - 'browser'
31 - 'netdfs'
32 - 'svcctl'
33 - 'spoolss'
34 - 'ntsvcs'
35 - 'LSM_API_service'
36 - 'HydraLsPipe'
37 - 'TermSrv_API_service'
38 - 'MsFteWds'
39 condition: selection and not 1 of filter_*
40falsepositives:
41 - Update the excluded named pipe to filter out any newly observed legit named pipe
42level: high
References
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe