Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

C2-NamedPipe

Back
Id7ce00cba-f76f-4026-ab7f-7e4f1b67bd18
RulenameC2-NamedPipe
DescriptionDetects the creation of a named pipe used by known APT malware.

Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
SeverityHigh
TacticsCommandAndControl
TechniquesT1105
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml
Version1.0.0
Arm template7ce00cba-f76f-4026-ab7f-7e4f1b67bd18.json
Deploy To Azure
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
    '\\psexec',                                     // PSexec default pipe
    '\\paexec',                                     // PSexec default pipe
    '\\remcom',                                     // PSexec default pipe
    '\\csexec',                                     // PSexec default pipe
    '\\isapi_http',                                 // Uroburos Malware Named Pipe
    '\\isapi_dg',                                   // Uroburos Malware Named Pipe
    '\\isapi_dg2',                                  // Uroburos Malware Named Pipe
    '\\sdlrpc',                                     // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
    '\\ahexec',                                     // Sofacy group malware
    '\\winsession',                                 // Wild Neutron APT malware https://goo.gl/pivRZJ
    '\\lsassw',                                     // Wild Neutron APT malware https://goo.gl/pivRZJ
    '\\46a676ab7f179e511e30dd2dc41bd388',           // Project Sauron https://goo.gl/eFoP4A
    '\\9f81f59bc58452127884ce513865ed20',           // Project Sauron https://goo.gl/eFoP4A
    '\\e710f28d59aa529d6792ca6ff0ca1b34',           // Project Sauron https://goo.gl/eFoP4A
    '\\rpchlp_3',                                   // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
    '\\NamePipe_MoreWindows',                       // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
    '\\pcheap_reuse',                               // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
    '\\gruntsvc',                                   // Covenant default named pipe
    '\\583da945-62af-10e8-4902-a8f205c72b2e',       // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    '\\bizkaz',                                     // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
    '\\atctl',                                      // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
    '\\userpipe',                                   // ruag apt case
    '\\iehelper',                                   // ruag apt case
    '\\sdlrpc',                                     // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
    '\\comnap',                                     // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
    '\\lsadump',                                    // Cred Dump-Tools Named Pipes
    '\\cachedump',                                  // Cred Dump-Tools Named Pipes
    '\\wceservicepipe',                             // Cred Dump-Tools Named Pipes
    '\\jaccdpqnvbrrxlaf',                           // PoshC2 default named pipe
    '\\svcctl',                                     // CrackMapExec default named pipe
    '\\csexecsvc'                                   // CSEXEC default named pipe
    '\\status_',                                    // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
    '\\MSSE-',                                      // CobaltStrike default named pipe
    '\\status_',                                    // CobaltStrike default named pipe
    '\\msagent_',                                   // (target) CobaltStrike default named pipe
    '\\postex_ssh_',                                // CobaltStrike default named pipe
    '\\postex_',                                    // CobaltStrike default named pipe
    '\\Posh'                                        // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerThreshold: 0
severity: High
status: Available
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
version: 1.0.0
tactics:
- CommandAndControl
queryFrequency: 1d
name: C2-NamedPipe
query: |
  // this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
  let badPipeNames = pack_array(
      '\\psexec',                                     // PSexec default pipe
      '\\paexec',                                     // PSexec default pipe
      '\\remcom',                                     // PSexec default pipe
      '\\csexec',                                     // PSexec default pipe
      '\\isapi_http',                                 // Uroburos Malware Named Pipe
      '\\isapi_dg',                                   // Uroburos Malware Named Pipe
      '\\isapi_dg2',                                  // Uroburos Malware Named Pipe
      '\\sdlrpc',                                     // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
      '\\ahexec',                                     // Sofacy group malware
      '\\winsession',                                 // Wild Neutron APT malware https://goo.gl/pivRZJ
      '\\lsassw',                                     // Wild Neutron APT malware https://goo.gl/pivRZJ
      '\\46a676ab7f179e511e30dd2dc41bd388',           // Project Sauron https://goo.gl/eFoP4A
      '\\9f81f59bc58452127884ce513865ed20',           // Project Sauron https://goo.gl/eFoP4A
      '\\e710f28d59aa529d6792ca6ff0ca1b34',           // Project Sauron https://goo.gl/eFoP4A
      '\\rpchlp_3',                                   // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
      '\\NamePipe_MoreWindows',                       // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
      '\\pcheap_reuse',                               // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
      '\\gruntsvc',                                   // Covenant default named pipe
      '\\583da945-62af-10e8-4902-a8f205c72b2e',       // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
      '\\bizkaz',                                     // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
      '\\atctl',                                      // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
      '\\userpipe',                                   // ruag apt case
      '\\iehelper',                                   // ruag apt case
      '\\sdlrpc',                                     // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
      '\\comnap',                                     // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
      '\\lsadump',                                    // Cred Dump-Tools Named Pipes
      '\\cachedump',                                  // Cred Dump-Tools Named Pipes
      '\\wceservicepipe',                             // Cred Dump-Tools Named Pipes
      '\\jaccdpqnvbrrxlaf',                           // PoshC2 default named pipe
      '\\svcctl',                                     // CrackMapExec default named pipe
      '\\csexecsvc'                                   // CSEXEC default named pipe
      '\\status_',                                    // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
      '\\MSSE-',                                      // CobaltStrike default named pipe
      '\\status_',                                    // CobaltStrike default named pipe
      '\\msagent_',                                   // (target) CobaltStrike default named pipe
      '\\postex_ssh_',                                // CobaltStrike default named pipe
      '\\postex_',                                    // CobaltStrike default named pipe
      '\\Posh'                                        // PoshC2 default named pipe
  );
  DeviceEvents
  | where ActionType == "NamedPipeEvent"
  | extend ParsedFields=parse_json(AdditionalFields)
  | where ParsedFields.FileOperation == "File created"
  | where ParsedFields.PipeName has_any (badPipeNames)
  | project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerOperator: gt
relevantTechniques:
- T1105
tags:
- APT Malware
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml
description: |
  Detects the creation of a named pipe used by known APT malware.
  Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c  
id: 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ce00cba-f76f-4026-ab7f-7e4f1b67bd18')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ce00cba-f76f-4026-ab7f-7e4f1b67bd18')]",
      "properties": {
        "alertRuleTemplateName": "7ce00cba-f76f-4026-ab7f-7e4f1b67bd18",
        "customDetails": null,
        "description": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c\n",
        "displayName": "C2-NamedPipe",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Command and Control/C2-NamedPipe.yaml",
        "query": "// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)\nlet badPipeNames = pack_array(\n    '\\\\psexec',                                     // PSexec default pipe\n    '\\\\paexec',                                     // PSexec default pipe\n    '\\\\remcom',                                     // PSexec default pipe\n    '\\\\csexec',                                     // PSexec default pipe\n    '\\\\isapi_http',                                 // Uroburos Malware Named Pipe\n    '\\\\isapi_dg',                                   // Uroburos Malware Named Pipe\n    '\\\\isapi_dg2',                                  // Uroburos Malware Named Pipe\n    '\\\\sdlrpc',                                     // Cobra Trojan Named Pipe http://goo.gl/8rOZUX\n    '\\\\ahexec',                                     // Sofacy group malware\n    '\\\\winsession',                                 // Wild Neutron APT malware https://goo.gl/pivRZJ\n    '\\\\lsassw',                                     // Wild Neutron APT malware https://goo.gl/pivRZJ\n    '\\\\46a676ab7f179e511e30dd2dc41bd388',           // Project Sauron https://goo.gl/eFoP4A\n    '\\\\9f81f59bc58452127884ce513865ed20',           // Project Sauron https://goo.gl/eFoP4A\n    '\\\\e710f28d59aa529d6792ca6ff0ca1b34',           // Project Sauron https://goo.gl/eFoP4A\n    '\\\\rpchlp_3',                                   // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input\n    '\\\\NamePipe_MoreWindows',                       // US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A\n    '\\\\pcheap_reuse',                               // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0\n    '\\\\gruntsvc',                                   // Covenant default named pipe\n    '\\\\583da945-62af-10e8-4902-a8f205c72b2e',       // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n    '\\\\bizkaz',                                     // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/\n    '\\\\atctl',                                      // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection\n    '\\\\userpipe',                                   // ruag apt case\n    '\\\\iehelper',                                   // ruag apt case\n    '\\\\sdlrpc',                                     // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n    '\\\\comnap',                                     // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n    '\\\\lsadump',                                    // Cred Dump-Tools Named Pipes\n    '\\\\cachedump',                                  // Cred Dump-Tools Named Pipes\n    '\\\\wceservicepipe',                             // Cred Dump-Tools Named Pipes\n    '\\\\jaccdpqnvbrrxlaf',                           // PoshC2 default named pipe\n    '\\\\svcctl',                                     // CrackMapExec default named pipe\n    '\\\\csexecsvc'                                   // CSEXEC default named pipe\n    '\\\\status_',                                    // CS default named pipes https://github.com/Neo23x0/sigma/issues/253\n    '\\\\MSSE-',                                      // CobaltStrike default named pipe\n    '\\\\status_',                                    // CobaltStrike default named pipe\n    '\\\\msagent_',                                   // (target) CobaltStrike default named pipe\n    '\\\\postex_ssh_',                                // CobaltStrike default named pipe\n    '\\\\postex_',                                    // CobaltStrike default named pipe\n    '\\\\Posh'                                        // PoshC2 default named pipe\n);\nDeviceEvents\n| where ActionType == \"NamedPipeEvent\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| where ParsedFields.FileOperation == \"File created\"\n| where ParsedFields.PipeName has_any (badPipeNames)\n| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          "APT Malware"
        ],
        "techniques": [
          "T1105"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}