First Time Seen Remote Named Pipe - Zeek

 1title: First Time Seen Remote Named Pipe - Zeek
 2id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
 3related:
 4    - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
 5      type: derived
 6status: test
 7description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
 8references:
 9    - https://twitter.com/menasec1/status/1104489274387451904
10author: Samir Bousseaden, @neu5ron, Tim Shelton
11date: 2020/04/02
12modified: 2022/12/27
13tags:
14    - attack.lateral_movement
15    - attack.t1021.002
16logsource:
17    product: zeek
18    service: smb_files
19detection:
20    selection:
21        path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
22    filter_keywords:
23        - 'samr'
24        - 'lsarpc'
25        - 'winreg'
26        - 'netlogon'
27        - 'srvsvc'
28        - 'protected_storage'
29        - 'wkssvc'
30        - 'browser'
31        - 'netdfs'
32        - 'svcctl'
33        - 'spoolss'
34        - 'ntsvcs'
35        - 'LSM_API_service'
36        - 'HydraLsPipe'
37        - 'TermSrv_API_service'
38        - 'MsFteWds'
39    condition: selection and not 1 of filter_*
40falsepositives:
41    - Update the excluded named pipe to filter out any newly observed legit named pipe
42level: high