mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
35 lines
1.6 KiB
YAML
35 lines
1.6 KiB
YAML
title: Malicious Named Pipe
|
|
status: experimental
|
|
description: Detects the creation of a named pipe used by known APT malware
|
|
reference: Various sources
|
|
date: 2017/11/06
|
|
author: Florian Roth
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
description: 'Note that you have to configure logging for PipeEvents in Symson config'
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 17
|
|
- 18
|
|
PipeName:
|
|
- '\isapi_http' # Uroburos Malware Named Pipe
|
|
- '\isapi_dg' # Uroburos Malware Named Pipe
|
|
- '\isapi_dg2' # Uroburos Malware Named Pipe
|
|
- '\sdlrpc' # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
|
|
- '\ahexec' # Sofacy group malware
|
|
- '\winsession' # Wild Neutron APT malware https://goo.gl/pivRZJ
|
|
- '\lsassw' # Wild Neutron APT malware https://goo.gl/pivRZJ
|
|
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
|
|
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
|
|
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
|
|
- '\NamePipe_MoreWindows' # US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
|
|
condition: selection
|
|
falsepositives:
|
|
- Unkown
|
|
level: critical
|