Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
Sigma rule (View on GitHub)
1title: Remote Service Activity via SVCCTL Named Pipe
2id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
3status: test
4description: Detects remote service activity via remote access to the svcctl named pipe
5references:
6 - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
7author: Samir Bousseaden
8date: 2019/04/03
9modified: 2022/08/11
10tags:
11 - attack.lateral_movement
12 - attack.persistence
13 - attack.t1021.002
14logsource:
15 product: windows
16 service: security
17 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
18detection:
19 selection:
20 EventID: 5145
21 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
22 RelativeTargetName: svcctl
23 Accesses|contains: 'WriteData'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- DCERPC SMB Spoolss Named Pipe
- Impacket PsExec Execution
- Persistence and Execution at Scale via GPO Scheduled Task
- Remote Task Creation via ATSVC Named Pipe
- Suspicious PsExec Execution