55 lines
1.3 KiB
YAML
55 lines
1.3 KiB
YAML
|
|
title: First Time Seen Remote Named Pipe
|
|
author: Samir Bousseaden
|
|
date: 2019/04/03
|
|
description: This detection excludes known namped pipes accessible remotely and notify
|
|
on newly observed ones, may help to detect lateral movement and remote exec using
|
|
named pipes
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5145
|
|
SELECTION_2:
|
|
ShareName: \\*\IPC$
|
|
SELECTION_3:
|
|
EventID: 5145
|
|
SELECTION_4:
|
|
ShareName: \\*\IPC$
|
|
SELECTION_5:
|
|
RelativeTargetName:
|
|
- atsvc
|
|
- samr
|
|
- lsarpc
|
|
- winreg
|
|
- netlogon
|
|
- srvsvc
|
|
- protected_storage
|
|
- wkssvc
|
|
- browser
|
|
- netdfs
|
|
- svcctl
|
|
- spoolss
|
|
- ntsvcs
|
|
- LSM_API_service
|
|
- HydraLsPipe
|
|
- TermSrv_API_service
|
|
- MsFteWds
|
|
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 and SELECTION_4
|
|
and SELECTION_5))
|
|
falsepositives:
|
|
- update the excluded named pipe to filter out any newly observed legit named pipe
|
|
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
|
|
level: high
|
|
logsource:
|
|
definition: The advanced audit policy setting "Object Access > Audit Detailed File
|
|
Share" must be configured for Success/Failure
|
|
product: windows
|
|
service: security
|
|
references:
|
|
- https://twitter.com/menasec1/status/1104489274387451904
|
|
status: experimental
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1077
|
|
- attack.t1021.002
|
|
ruletype: SIGMA
|