First Time Seen Remote Named Pipe
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Sigma rule (View on GitHub)
1title: First Time Seen Remote Named Pipe
2id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
3status: test
4description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
5references:
6 - https://twitter.com/menasec1/status/1104489274387451904
7author: Samir Bousseaden
8date: 2019-04-03
9modified: 2023-03-14
10tags:
11 - attack.lateral-movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18 selection1:
19 EventID: 5145
20 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21 false_positives:
22 RelativeTargetName:
23 - 'atsvc'
24 - 'samr'
25 - 'lsarpc'
26 - 'lsass'
27 - 'winreg'
28 - 'netlogon'
29 - 'srvsvc'
30 - 'protected_storage'
31 - 'wkssvc'
32 - 'browser'
33 - 'netdfs'
34 - 'svcctl'
35 - 'spoolss'
36 - 'ntsvcs'
37 - 'LSM_API_service'
38 - 'HydraLsPipe'
39 - 'TermSrv_API_service'
40 - 'MsFteWds'
41 - 'sql\query'
42 - 'eventlog'
43 condition: selection1 and not false_positives
44falsepositives:
45 - Update the excluded named pipe to filter out any newly observed legit named pipe
46level: high
References
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe