Malicious Named Pipe Created

 1title: Malicious Named Pipe Created
 2id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
 3status: test
 4description: Detects the creation of a named pipe seen used by known APTs or malware.
 5references:
 6    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
 7    - https://securelist.com/faq-the-projectsauron-apt/75533/
 8    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 9    - https://www.us-cert.gov/ncas/alerts/TA17-117A
10    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
11    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
12    - https://github.com/RiccardoAncarani/LiquidSnake
13    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
14    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
15    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
16    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
17    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
18author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
19date: 2017/11/06
20modified: 2023/08/07
21tags:
22    - attack.defense_evasion
23    - attack.privilege_escalation
24    - attack.t1055
25logsource:
26    product: windows
27    category: pipe_created
28    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
29detection:
30    selection:
31        PipeName:
32            - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
33            - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
34            - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
35            - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
36            - '\adschemerpc'  # Turla HyperStack
37            - '\ahexec'  # Sofacy group malware
38            - '\AnonymousPipe'  # Hidden Cobra Hoplight
39            - '\bc31a7'  # Pacifier
40            - '\bc367'  # Pacifier
41            - '\bizkaz'  # Snatch Ransomware
42            - '\csexecsvc' # CSEXEC default
43            - '\dce_3d' # Qbot
44            - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
45            - '\gruntsvc' # Covenant default
46            - '\isapi_dg'  # Uroburos Malware
47            - '\isapi_dg2'  # Uroburos Malware
48            - '\isapi_http'  # Uroburos Malware
49            - '\jaccdpqnvbrrxlaf' # PoshC2 default
50            - '\lsassw'  # Wild Neutron APT malware
51            - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
52            - '\pcheap_reuse'  # Pipe used by Equation Group malware
53            - '\Posh*' # PoshC2 default
54            - '\rpchlp_3'  # Project Sauron
55            - '\sdlrpc'  # Cobra Trojan
56            - '\svcctl' # Crackmapexec smbexec default
57            - '\testPipe'  # Emissary Panda Hyperbro
58            - '\winsession'  # Wild Neutron APT malware
59            # - '\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253
60    condition: selection
61falsepositives:
62    - Unknown
63level: critical

References

• Wild Neutron – Economic espionage threat actor returns with new tricks

  

  A powerful threat actor known as “Wild Neutron” has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

  
  Read More

• ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms

  

  ‘ProjectSauron’ – a nation-state threat actor attacking state organizations with a unique set of tools for each victim, making traditional indicators of compromise almost useless. The aim of the attacks appears to be mainly cyber-espionage.

  
  Read More

• Wayback Machine

  COLLECTED BY Web archive data from a crawl of open access PDF URLs provided by Unpaywall. TIMESTAMPS The Wayback Machine - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-sec...

  
  Read More

• Intrusions Affecting Multiple Victims Across Multiple Sectors | CISA

  Systems Affected Networked Systems Overview This Alert has been updated to reflect the U.S. Government's public attribution of this activity to the Chinese government. The U.S. Government announced...

  
  Read More

• SolarWinds Supply Chain Attack Uses SUNBURST Backdoor

  

  A highly evasive attacker leverages a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute SUNBURST malware.

  
  Read More

• Snatch Ransomware - The DFIR Report

  

  Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a … Read More

  
  Read More

• GitHub - RiccardoAncarani/LiquidSnake: LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript

  

  LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript - RiccardoAncarani/LiquidSnake

  
  Read More

• Accenture Blogs

  

  Discover innovation stories from our leading bloggers. From cloud computing to strategy, this is the place where new ideas come alive.

  
  Read More

• MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA

  Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contain...

  
  Read More

• Éȱm’Òxº4Ý-6ëBZuF°›H—$Dµ°‘%94”ˆ ò4M ïÂœ†“¦É`儃T:Ù ª^m;$‘R&É>é.qzD¨Ódˆ@Ò"3lR"šR'®%E“.²rxÙ"(¼<¡%$Ñ=#†S”'-ÔÇK¤Fîd'†Ù=1Nv]’„Wâ�æœà¾á àM±½ÓÓ«˜’› 8ni¸Kœ©Ì«„„´¢¿…5"‡ºbV:Y2±:¡¢x°µ"¥–Y#ü$pI...

  
  Read More

• Emissary Panda Attacks Middle East Government SharePoint Servers

  

  Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research.

  
  Read More

• Qbot and Zerologon Lead To Full Domain Compromise

  

  In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.

  
  Read More

Related rules

• Process Creation Using Sysnative Folder
• HackTool - EfsPotato Named Pipe Creation
• Malware Shellcode in Verclsid Target Process
• Suspect Svchost Activity
• HackTool - CoercedPotato Named Pipe Creation