HackTool - EfsPotato Named Pipe Creation

 1title: HackTool - EfsPotato Named Pipe Creation
 2id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
 3status: experimental
 4description: Detects the pattern of a pipe name as used by the hack tool EfsPotato
 5references:
 6    - https://twitter.com/SBousseaden/status/1429530155291193354?s=20
 7    - https://github.com/zcgonvh/EfsPotato
 8author: Florian Roth (Nextron Systems)
 9date: 2021/08/23
10modified: 2023/12/21
11tags:
12    - attack.defense_evasion
13    - attack.privilege_escalation
14    - attack.t1055
15logsource:
16    product: windows
17    category: pipe_created
18    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
19detection:
20    selection:
21        PipeName|contains:
22            - '\pipe\'
23            - '\pipe\srvsvc'  # more specific version (use only this one if the other causes too many false positives)
24    filter_optional_ctx:
25        PipeName|contains: '\CtxShare'
26    filter_optional_default:
27        PipeName|startswith: '\pipe\' # excludes pipes that start with \pipe\*
28    condition: selection and not 1 of filter_optional_*
29falsepositives:
30    - \pipe\LOCAL\Monitorian # https://github.com/emoacht/Monitorian
31level: high