mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
43 lines
1.9 KiB
YAML
43 lines
1.9 KiB
YAML
title: Malicious Named Pipe
|
|
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
|
|
status: experimental
|
|
description: Detects the creation of a named pipe used by known APT malware
|
|
references:
|
|
- Various sources
|
|
date: 2017/11/06
|
|
author: Florian Roth
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 17
|
|
- 18
|
|
PipeName:
|
|
- '\isapi_http' # Uroburos Malware Named Pipe
|
|
- '\isapi_dg' # Uroburos Malware Named Pipe
|
|
- '\isapi_dg2' # Uroburos Malware Named Pipe
|
|
- '\sdlrpc' # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
|
|
- '\ahexec' # Sofacy group malware
|
|
- '\winsession' # Wild Neutron APT malware https://goo.gl/pivRZJ
|
|
- '\lsassw' # Wild Neutron APT malware https://goo.gl/pivRZJ
|
|
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron https://goo.gl/eFoP4A
|
|
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
|
|
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
|
|
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
|
|
- '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
|
|
- '\gruntsvc' # Covenant default named pipe
|
|
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
|
|
condition: selection
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
- attack.t1055
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|