SigmaHQ/rules/windows/pipe_created/sysmon_mal_namedpipes.yml

title: Malicious Named Pipe
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: experimental
description: Detects the creation of a named pipe used by known APT malware
references:
    - Various sources
date: 2017/11/06
author: Florian Roth
logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
detection:
   selection:
      PipeName: 
         - '\isapi_http'  # Uroburos Malware Named Pipe
         - '\isapi_dg'  # Uroburos Malware Named Pipe
         - '\isapi_dg2'  # Uroburos Malware Named Pipe
         - '\sdlrpc'  # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
         - '\ahexec'  # Sofacy group malware
         - '\winsession'  # Wild Neutron APT malware https://goo.gl/pivRZJ
         - '\lsassw'  # Wild Neutron APT malware https://goo.gl/pivRZJ
         - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron https://goo.gl/eFoP4A
         - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron https://goo.gl/eFoP4A
         - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron https://goo.gl/eFoP4A
         - '\rpchlp_3'  # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
         - '\NamePipe_MoreWindows'  # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
         - '\pcheap_reuse'  # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
         - '\gruntsvc' # Covenant default named pipe
         # - '\status_*'  # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
         - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
         - '\bizkaz'  # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
   condition: selection
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
falsepositives:
   - Unknown
level: critical
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`title: Malicious Named Pipe`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`status: experimental`
			`description: Detects the creation of a named pipe used by known APT malware`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- Various sources`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`date: 2017/11/06`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
- Created new categories for sysmon events - Replaced the explicit EventIDs with the reference to the category - Moved the rules to the corresponding directories 2020-09-30 18:44:14 +00:00			`category: pipe_created`
			`definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`detection:`
			`selection:`
			`PipeName:`
			`- '\isapi_http' # Uroburos Malware Named Pipe`
			`- '\isapi_dg' # Uroburos Malware Named Pipe`
			`- '\isapi_dg2' # Uroburos Malware Named Pipe`
			`- '\sdlrpc' # Cobra Trojan Named Pipe http://goo.gl/8rOZUX`
			`- '\ahexec' # Sofacy group malware`
			`- '\winsession' # Wild Neutron APT malware https://goo.gl/pivRZJ`
			`- '\lsassw' # Wild Neutron APT malware https://goo.gl/pivRZJ`
			`- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron https://goo.gl/eFoP4A`
			`- '\9f81f59bc58452127884ce513865ed20' # Project Sauron https://goo.gl/eFoP4A`
			`- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron https://goo.gl/eFoP4A`
			`- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input`
Remove duplicate value 2018-10-08 18:00:59 +00:00			`- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0`
Add Covenant default named pipe Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication. The default named pipe name is "\gruntsvc". References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456 2019-12-18 15:19:47 +00:00			`- '\gruntsvc' # Covenant default named pipe`
Rule: suspicious pipes extended https://github.com/Neo23x0/sigma/issues/253 2019-02-21 12:26:39 +00:00			`# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253`
rules: CobaltStrike named pipes 2021-04-23 15:16:09 +00:00			`- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html`
			`- '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`condition: selection`
ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 06:41:54 +00:00			`tags:`
			`- attack.defense_evasion`
Correct MITRE tag 2019-01-22 18:26:07 +00:00			`- attack.privilege_escalation`
ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 06:41:54 +00:00			`- attack.t1055`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`falsepositives:`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`- Unknown`
Sysmon: Named Pipe detection for APT malware 2017-11-06 13:24:42 +00:00			`level: critical`