First Time Seen Remote Named Pipe

 1title: First Time Seen Remote Named Pipe
 2id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
 3status: test
 4description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
 5references:
 6    - https://twitter.com/menasec1/status/1104489274387451904
 7author: Samir Bousseaden
 8date: 2019/04/03
 9modified: 2023/03/14
10tags:
11    - attack.lateral_movement
12    - attack.t1021.002
13logsource:
14    product: windows
15    service: security
16    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18    selection1:
19        EventID: 5145
20        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21    false_positives:
22        RelativeTargetName:
23            - 'atsvc'
24            - 'samr'
25            - 'lsarpc'
26            - 'lsass'
27            - 'winreg'
28            - 'netlogon'
29            - 'srvsvc'
30            - 'protected_storage'
31            - 'wkssvc'
32            - 'browser'
33            - 'netdfs'
34            - 'svcctl'
35            - 'spoolss'
36            - 'ntsvcs'
37            - 'LSM_API_service'
38            - 'HydraLsPipe'
39            - 'TermSrv_API_service'
40            - 'MsFteWds'
41            - 'sql\query'
42            - 'eventlog'
43    condition: selection1 and not false_positives
44falsepositives:
45    - Update the excluded named pipe to filter out any newly observed legit named pipe
46level: high