C2-NamedPipe
| Id | 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18 |
| Rulename | C2-NamedPipe |
| Description | Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1105 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml |
| Version | 1.0.0 |
| Arm template | 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18.json |
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // ruag apt case
'\\iehelper', // ruag apt case
'\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\lsadump', // Cred Dump-Tools Named Pipes
'\\cachedump', // Cred Dump-Tools Named Pipes
'\\wceservicepipe', // Cred Dump-Tools Named Pipes
'\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe
'\\svcctl', // CrackMapExec default named pipe
'\\csexecsvc' // CSEXEC default named pipe
'\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
'\\MSSE-', // CobaltStrike default named pipe
'\\status_', // CobaltStrike default named pipe
'\\msagent_', // (target) CobaltStrike default named pipe
'\\postex_ssh_', // CobaltStrike default named pipe
'\\postex_', // CobaltStrike default named pipe
'\\Posh' // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
queryPeriod: 1d
query: |
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // ruag apt case
'\\iehelper', // ruag apt case
'\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\lsadump', // Cred Dump-Tools Named Pipes
'\\cachedump', // Cred Dump-Tools Named Pipes
'\\wceservicepipe', // Cred Dump-Tools Named Pipes
'\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe
'\\svcctl', // CrackMapExec default named pipe
'\\csexecsvc' // CSEXEC default named pipe
'\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
'\\MSSE-', // CobaltStrike default named pipe
'\\status_', // CobaltStrike default named pipe
'\\msagent_', // (target) CobaltStrike default named pipe
'\\postex_ssh_', // CobaltStrike default named pipe
'\\postex_', // CobaltStrike default named pipe
'\\Posh' // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: C2-NamedPipe
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml
tags:
- APT Malware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
description: |
Detects the creation of a named pipe used by known APT malware.
Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
kind: Scheduled
version: 1.0.0
status: Available
severity: High
relevantTechniques:
- T1105
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
id: 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18