2017-11-06 13:22:09 +00:00
|
|
|
title: Turla Group Named Pipes
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects a named pipe used by Turla group samples
|
2018-01-27 23:24:16 +00:00
|
|
|
references:
|
|
|
|
|
- Internal Research
|
2017-11-06 13:22:09 +00:00
|
|
|
date: 2017/11/06
|
2018-07-25 07:50:01 +00:00
|
|
|
tags:
|
|
|
|
|
- attack.g0010
|
2017-11-06 13:22:09 +00:00
|
|
|
author: Markus Neis
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
2018-11-15 06:00:06 +00:00
|
|
|
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
|
2017-11-06 13:22:09 +00:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID:
|
|
|
|
|
- 17
|
|
|
|
|
- 18
|
|
|
|
|
PipeName:
|
|
|
|
|
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
|
|
|
|
|
- '\userpipe' # ruag apt case
|
|
|
|
|
- '\iehelper' # ruag apt case
|
|
|
|
|
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
|
|
|
|
|
- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
|
|
|
|
|
# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
|
|
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unkown
|
|
|
|
|
level: critical
|
|
|
|
|
|
