title: First Time Seen Remote Named Pipe
author: Samir Bousseaden
date: 2019/04/03
description: This detection excludes known namped pipes accessible remotely and notify
  on newly observed ones, may help to detect lateral movement and remote exec using
  named pipes
detection:
  SELECTION_1:
    EventID: 5145
  SELECTION_2:
    ShareName: \\*\IPC$
  SELECTION_3:
    EventID: 5145
  SELECTION_4:
    ShareName: \\*\IPC$
  SELECTION_5:
    RelativeTargetName:
    - atsvc
    - samr
    - lsarpc
    - winreg
    - netlogon
    - srvsvc
    - protected_storage
    - wkssvc
    - browser
    - netdfs
    - svcctl
    - spoolss
    - ntsvcs
    - LSM_API_service
    - HydraLsPipe
    - TermSrv_API_service
    - MsFteWds
  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 and SELECTION_4
    and SELECTION_5))
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
level: high
logsource:
  definition: The advanced audit policy setting "Object Access > Audit Detailed File
    Share" must be configured for Success/Failure
  product: windows
  service: security
references:
- https://twitter.com/menasec1/status/1104489274387451904
status: experimental
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
ruletype: SIGMA