SigmaHQ/rules/windows/builtin/win_lm_namedpipe.yml
2019-04-03 15:48:42 +02:00

33 lines
1.0 KiB
YAML

title: First time seen remote named pipe
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: Samir Bousseaden
references:
- https://twitter.com/menasec1/status/1104489274387451904
tags:
- attack.lateral_movement
- attack.T1077
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
level: high