CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/sysmon_mal_namedpipes.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

102 lines
3.9 KiB
YAML
Raw Blame History

title: Malicious Named Pipe
author: Florian Roth, blueteam0ps, elhoim
date: 2017/11/06
description: Detects the creation of a named pipe used by known APT malware
detection:
SELECTION_1:
EventID: 17
SELECTION_10:
PipeName: \46a676ab7f179e511e30dd2dc41bd388
SELECTION_11:
PipeName: \9f81f59bc58452127884ce513865ed20
SELECTION_12:
PipeName: \e710f28d59aa529d6792ca6ff0ca1b34
SELECTION_13:
PipeName: \rpchlp_3
SELECTION_14:
PipeName: \NamePipe_MoreWindows
SELECTION_15:
PipeName: \pcheap_reuse
SELECTION_16:
PipeName: \gruntsvc
SELECTION_17:
PipeName: \583da945-62af-10e8-4902-a8f205c72b2e
SELECTION_18:
PipeName: \bizkaz
SELECTION_19:
PipeName: \svcctl
SELECTION_2:
EventID: 18
SELECTION_20:
PipeName: \Posh*
SELECTION_21:
PipeName: \jaccdpqnvbrrxlaf
SELECTION_22:
PipeName: \csexecsvc
SELECTION_23:
PipeName: \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
SELECTION_24:
PipeName: \adschemerpc
SELECTION_25:
PipeName: \AnonymousPipe
SELECTION_26:
PipeName: \bc367
SELECTION_27:
PipeName: \bc31a7
SELECTION_28:
PipeName: \testPipe
SELECTION_3:
PipeName: \isapi_http
SELECTION_4:
PipeName: \isapi_dg
SELECTION_5:
PipeName: \isapi_dg2
SELECTION_6:
PipeName: \sdlrpc
SELECTION_7:
PipeName: \ahexec
SELECTION_8:
PipeName: \winsession
SELECTION_9:
PipeName: \lsassw
condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28))
falsepositives:
- Unknown
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
level: critical
logsource:
category: pipe_created
definition: Note that you have to configure logging for Named Pipe Events in Sysmon
config (Event ID 17 and Event ID 18). The basic configuration is in popular
sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
https://github.com/olafhartong/sysmon-modular. How to test detection? You
can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
product: windows
modified: 2021/10/30
references:
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://www.us-cert.gov/ncas/alerts/TA17-117A
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/RiccardoAncarani/LiquidSnake
- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
yml_filename: sysmon_mal_namedpipes.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
Reference in New Issue View Git Blame Copy Permalink