Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Sigma rule (View on GitHub)
1title: Privilege Escalation via Named Pipe Impersonation
2id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
3related:
4 - id: f35c5d71-b489-4e22-a115-f003df287317
5 type: derived
6status: test
7description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
8references:
9 - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
10author: Tim Rauch, Elastic (idea)
11date: 2022/09/27
12modified: 2022/12/30
13tags:
14 - attack.lateral_movement
15 - attack.t1021
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_name:
21 - Image|endswith:
22 - '\cmd.exe'
23 - '\powershell.exe'
24 - OriginalFileName:
25 - 'Cmd.Exe'
26 - 'PowerShell.EXE'
27 selection_args:
28 CommandLine|contains|all:
29 - 'echo'
30 - '>'
31 - '\\\\.\\pipe\\'
32 condition: all of selection*
33falsepositives:
34 - Other programs that cause these patterns (please report)
35level: high
References
-
Privilege Escalation via Named Pipe Impersonationedit Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Met...
Read More
Related rules
- Potential Remote Desktop Tunneling
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Executable Deployment from Remote Share
- Access To ADMIN$ Network Share
- Metasploit SMB Authentication