First Time Seen Remote Named Pipe - Zeek
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Sigma rule (View on GitHub)
1title: First Time Seen Remote Named Pipe - Zeek
2id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
3related:
4 - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
5 type: derived
6status: test
7description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
8references:
9 - https://twitter.com/menasec1/status/1104489274387451904
10author: Samir Bousseaden, @neu5ron, Tim Shelton
11date: 2020/04/02
12modified: 2022/12/27
13tags:
14 - attack.lateral_movement
15 - attack.t1021.002
16logsource:
17 product: zeek
18 service: smb_files
19detection:
20 selection:
21 path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
22 filter_keywords:
23 - 'samr'
24 - 'lsarpc'
25 - 'winreg'
26 - 'netlogon'
27 - 'srvsvc'
28 - 'protected_storage'
29 - 'wkssvc'
30 - 'browser'
31 - 'netdfs'
32 - 'svcctl'
33 - 'spoolss'
34 - 'ntsvcs'
35 - 'LSM_API_service'
36 - 'HydraLsPipe'
37 - 'TermSrv_API_service'
38 - 'MsFteWds'
39 condition: selection and not 1 of filter_*
40falsepositives:
41 - Update the excluded named pipe to filter out any newly observed legit named pipe
42level: high
References
Related rules
- Suspicious PsExec Execution - Zeek
- Potential DCOM InternetExplorer.Application DLL Hijack
- DCERPC SMB Spoolss Named Pipe
- Impacket PsExec Execution
- Remote Service Activity via SVCCTL Named Pipe