SigmaHQ/rules/windows/builtin/win_lm_namedpipe.yml
2020-01-30 17:26:09 +01:00

45 lines
1.3 KiB
YAML

title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
using named pipes
author: Samir Bousseaden
date: 2019/04/03
references:
- https://twitter.com/menasec1/status/1104489274387451904
tags:
- attack.lateral_movement
- attack.t1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
level: high