CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

72 lines
2.6 KiB
YAML
Raw Blame History

title: Malicious Named Pipe
author: Florian Roth, blueteam0ps, elhoim
date: 2017/11/06
description: Detects the creation of a named pipe used by known APT malware
detection:
SELECTION_1:
EventID: 17
SELECTION_2:
EventID: 18
SELECTION_3:
PipeName:
- \isapi_http
- \isapi_dg
- \isapi_dg2
- \sdlrpc
- \ahexec
- \winsession
- \lsassw
- \46a676ab7f179e511e30dd2dc41bd388
- \9f81f59bc58452127884ce513865ed20
- \e710f28d59aa529d6792ca6ff0ca1b34
- \rpchlp_3
- \NamePipe_MoreWindows
- \pcheap_reuse
- \gruntsvc
- \583da945-62af-10e8-4902-a8f205c72b2e
- \bizkaz
- \svcctl
- \Posh*
- \jaccdpqnvbrrxlaf
- \csexecsvc
- \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
- \adschemerpc
- \AnonymousPipe
- \bc367
- \bc31a7
- \testPipe
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
falsepositives:
- Unknown
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
level: critical
logsource:
category: pipe_created
definition: Note that you have to configure logging for Named Pipe Events in Sysmon
config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
https://github.com/olafhartong/sysmon-modular. How to test detection? You can
check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
product: windows
modified: 2021/10/30
references:
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://www.us-cert.gov/ncas/alerts/TA17-117A
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/RiccardoAncarani/LiquidSnake
- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink