NtdllPipe Like Activity Execution
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Sigma rule (View on GitHub)
1title: NtdllPipe Like Activity Execution
2id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
3status: test
4description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
5references:
6 - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
7author: Florian Roth (Nextron Systems)
8date: 2022/03/05
9modified: 2023/03/07
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'type %windir%\system32\ntdll.dll'
19 - 'type %systemroot%\system32\ntdll.dll'
20 - 'type c:\windows\system32\ntdll.dll'
21 - '\\ntdll.dll > \\\\.\\pipe\\'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
The most obvious method would be to read ntdll.dll from the disk using CreateFile and ReadFile, but this triggers the AV heuristics engine as suspected. My next idea was to use a trusted Microsoft ...
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- DLL Execution Via Register-cimprovider.exe
- Detection of PowerShell Execution via Sqlps.exe
- Devtoolslauncher.exe Executes Specified Binary
- Disabled IE Security Features