C2-NamedPipe
| Id | 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18 |
| Rulename | C2-NamedPipe |
| Description | Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1105 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml |
| Version | 1.0.0 |
| Arm template | 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18.json |
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // ruag apt case
'\\iehelper', // ruag apt case
'\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\lsadump', // Cred Dump-Tools Named Pipes
'\\cachedump', // Cred Dump-Tools Named Pipes
'\\wceservicepipe', // Cred Dump-Tools Named Pipes
'\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe
'\\svcctl', // CrackMapExec default named pipe
'\\csexecsvc' // CSEXEC default named pipe
'\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
'\\MSSE-', // CobaltStrike default named pipe
'\\status_', // CobaltStrike default named pipe
'\\msagent_', // (target) CobaltStrike default named pipe
'\\postex_ssh_', // CobaltStrike default named pipe
'\\postex_', // CobaltStrike default named pipe
'\\Posh' // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
relevantTechniques:
- T1105
name: C2-NamedPipe
requiredDataConnectors:
- dataTypes:
- DeviceEvents
connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
triggerThreshold: 0
id: 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18
tactics:
- CommandAndControl
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml
queryPeriod: 1d
kind: Scheduled
tags:
- APT Malware
queryFrequency: 1d
severity: High
status: Available
description: |
Detects the creation of a named pipe used by known APT malware.
Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
query: |
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // ruag apt case
'\\iehelper', // ruag apt case
'\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\lsadump', // Cred Dump-Tools Named Pipes
'\\cachedump', // Cred Dump-Tools Named Pipes
'\\wceservicepipe', // Cred Dump-Tools Named Pipes
'\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe
'\\svcctl', // CrackMapExec default named pipe
'\\csexecsvc' // CSEXEC default named pipe
'\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
'\\MSSE-', // CobaltStrike default named pipe
'\\status_', // CobaltStrike default named pipe
'\\msagent_', // (target) CobaltStrike default named pipe
'\\postex_ssh_', // CobaltStrike default named pipe
'\\postex_', // CobaltStrike default named pipe
'\\Posh' // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ce00cba-f76f-4026-ab7f-7e4f1b67bd18')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ce00cba-f76f-4026-ab7f-7e4f1b67bd18')]",
"properties": {
"alertRuleTemplateName": "7ce00cba-f76f-4026-ab7f-7e4f1b67bd18",
"customDetails": null,
"description": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c\n",
"displayName": "C2-NamedPipe",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml",
"query": "// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)\nlet badPipeNames = pack_array(\n '\\\\psexec', // PSexec default pipe\n '\\\\paexec', // PSexec default pipe\n '\\\\remcom', // PSexec default pipe\n '\\\\csexec', // PSexec default pipe\n '\\\\isapi_http', // Uroburos Malware Named Pipe\n '\\\\isapi_dg', // Uroburos Malware Named Pipe\n '\\\\isapi_dg2', // Uroburos Malware Named Pipe\n '\\\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX\n '\\\\ahexec', // Sofacy group malware\n '\\\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A\n '\\\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A\n '\\\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A\n '\\\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input\n '\\\\NamePipe_MoreWindows', // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A\n '\\\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0\n '\\\\gruntsvc', // Covenant default named pipe\n '\\\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n '\\\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/\n '\\\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection\n '\\\\userpipe', // ruag apt case\n '\\\\iehelper', // ruag apt case\n '\\\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\lsadump', // Cred Dump-Tools Named Pipes\n '\\\\cachedump', // Cred Dump-Tools Named Pipes\n '\\\\wceservicepipe', // Cred Dump-Tools Named Pipes\n '\\\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe\n '\\\\svcctl', // CrackMapExec default named pipe\n '\\\\csexecsvc' // CSEXEC default named pipe\n '\\\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253\n '\\\\MSSE-', // CobaltStrike default named pipe\n '\\\\status_', // CobaltStrike default named pipe\n '\\\\msagent_', // (target) CobaltStrike default named pipe\n '\\\\postex_ssh_', // CobaltStrike default named pipe\n '\\\\postex_', // CobaltStrike default named pipe\n '\\\\Posh' // PoshC2 default named pipe\n);\nDeviceEvents\n| where ActionType == \"NamedPipeEvent\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| where ParsedFields.FileOperation == \"File created\"\n| where ParsedFields.PipeName has_any (badPipeNames)\n| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
"APT Malware"
],
"techniques": [
"T1105"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}