mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
33 lines
1.0 KiB
YAML
33 lines
1.0 KiB
YAML
|
title: First time seen remote named pipe
|
||
|
|
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
|
||
|
|
author: Samir Bousseaden
|
||
|
|
references:
|
||
|
|
- https://twitter.com/menasec1/status/1104489274387451904
|
||
|
|
tags:
|
||
|
|
- attack.lateral_movement
|
||
|
|
- attack.T1077
|
||
|
|
logsource:
|
||
|
|
product: windows
|
||
|
|
service: security
|
||
|
|
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
|
||
|
|
detection:
|
||
|
|
selection1:
|
||
|
|
EventID: 5145
|
||
|
|
ShareName: \\*\IPC$
|
||
|
|
selection2:
|
||
|
|
EventID: 5145
|
||
|
|
ShareName: \\*\IPC$
|
||
|
|
RelativeTargetName:
|
||
|
|
- 'atsvc'
|
||
|
|
- 'samr'
|
||
|
|
- 'lsarpc'
|
||
|
|
- 'winreg'
|
||
|
|
- 'netlogon'
|
||
|
|
- 'srvsvc'
|
||
|
|
- 'protected_storage'
|
||
|
|
- 'wkssvc'
|
||
|
|
condition: selection1 and not selection2
|
||
|
|
falsepositives:
|
||
|
|
- update the excluded named pipe to filter out any newly observed legit named pipe
|
||
|
|
level: high
|