blue-team-tools/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml

title: Malicious Named Pipe
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe used by known APT malware
references:
    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
    - https://securelist.com/faq-the-projectsauron-apt/75533/
    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://github.com/RiccardoAncarani/LiquidSnake
    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017/11/06
modified: 2022/03/15
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\isapi_http'  # Uroburos Malware
            - '\isapi_dg'  # Uroburos Malware
            - '\isapi_dg2'  # Uroburos Malware
            - '\sdlrpc'  # Cobra Trojan
            - '\ahexec'  # Sofacy group malware
            - '\winsession'  # Wild Neutron APT malware
            - '\lsassw'  # Wild Neutron APT malware
            - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
            - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
            - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
            - '\rpchlp_3'  # Project Sauron
            - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
            - '\pcheap_reuse'  # Pipe used by Equation Group malware
            - '\gruntsvc' # Covenant default
            # - '\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253
            - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
            - '\bizkaz'  # Snatch Ransomware
            - '\svcctl' #Crackmapexec smbexec default
            - '\Posh*' #PoshC2 default
            - '\jaccdpqnvbrrxlaf' #PoshC2 default
            - '\csexecsvc' #CSEXEC default
            - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
            - '\adschemerpc'  # Turla HyperStack
            - '\AnonymousPipe'  # Hidden Cobra Hoplight
            - '\bc367'  # Pacifier
            - '\bc31a7'  # Pacifier
            - '\testPipe'  # Emissary Panda Hyperbro
            - '\dce_3d' #Qbot
    condition: selection
falsepositives:
    - Unknown
level: critical