frack113
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
title: First Time Seen Remote Named Pipe
|
|
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
|
|
status: test
|
|
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
|
|
author: Samir Bousseaden
|
|
references:
|
|
- https://twitter.com/menasec1/status/1104489274387451904
|
|
date: 2019/04/03
|
|
modified: 2021/12/06
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
|
|
detection:
|
|
selection1:
|
|
EventID: 5145
|
|
ShareName: \\\*\IPC$
|
|
false_positives:
|
|
RelativeTargetName:
|
|
- 'atsvc'
|
|
- 'samr'
|
|
- 'lsarpc'
|
|
- 'lsass'
|
|
- 'winreg'
|
|
- 'netlogon'
|
|
- 'srvsvc'
|
|
- 'protected_storage'
|
|
- 'wkssvc'
|
|
- 'browser'
|
|
- 'netdfs'
|
|
- 'svcctl'
|
|
- 'spoolss'
|
|
- 'ntsvcs'
|
|
- 'LSM_API_service'
|
|
- 'HydraLsPipe'
|
|
- 'TermSrv_API_service'
|
|
- 'MsFteWds'
|
|
- 'sql\query'
|
|
condition: selection1 and not false_positives
|
|
falsepositives:
|
|
- update the excluded named pipe to filter out any newly observed legit named pipe
|
|
level: high
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1021.002
|