Remote Service Activity via SVCCTL Named Pipe

calendar Aug 12, 2024 · attack.lateral-movement attack.persistence attack.t1021.002  ·
Share on: linkedin copy

Detects remote service activity via remote access to the svcctl named pipe

Sigma rule (View on GitHub)

 1title: Remote Service Activity via SVCCTL Named Pipe
 2id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
 3status: test
 4description: Detects remote service activity via remote access to the svcctl named pipe
 5references:
 6    - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
 7author: Samir Bousseaden
 8date: 2019-04-03
 9modified: 2024-08-01
10tags:
11    - attack.lateral-movement
12    - attack.persistence
13    - attack.t1021.002
14logsource:
15    product: windows
16    service: security
17    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
18detection:
19    selection:
20        EventID: 5145
21        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
22        RelativeTargetName: svcctl
23        AccessList|contains: 'WriteData'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top