NtdllPipe Like Activity Execution
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Sigma rule (View on GitHub)
1title: NtdllPipe Like Activity Execution
2id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
3status: test
4description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
5references:
6 - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
7author: Florian Roth (Nextron Systems)
8date: 2022-03-05
9modified: 2023-03-07
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'type %windir%\system32\ntdll.dll'
19 - 'type %systemroot%\system32\ntdll.dll'
20 - 'type c:\windows\system32\ntdll.dll'
21 - '\\ntdll.dll > \\\\.\\pipe\\'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity