Suspicious named pipes
Id | ddf7c669-db26-4215-acaf-11e2953a04e6 |
Rulename | Suspicious named pipes |
Description | This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage. |
Severity | Medium |
Tactics | Execution DefenseEvasion |
Techniques | T1559 T1055 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml |
Version | 1.0.0 |
Arm template | ddf7c669-db26-4215-acaf-11e2953a04e6.json |
let timeframe=1h;
let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
DeviceEvents
| where Timestamp >= ago(timeframe)
| where ActionType == "NamedPipeEvent"
| extend AdditionalFields=parse_json(AdditionalFields)
| extend ThreadId=tostring(AdditionalFields.ThreadId)
| extend PipeName=tostring(AdditionalFields.PipeName)
// creating string based variants of the processIDs for matching several times later
| extend InitiatingPID=tostring(InitiatingProcessId)
| extend InitiatingParentPID=tostring(InitiatingProcessParentId)
// Begin allow-list.
// End allow-list.
| where PipeName has_any (CobaltStrikeDefaults) or
// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
(PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
(PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
(PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
(PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
(PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
// Based on a list of public mallable profiles and a suffix that is a random HEX string.
(PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
(PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")
queryPeriod: 1h
version: 1.0.0
tactics:
- Execution
- DefenseEvasion
queryFrequency: 1h
id: ddf7c669-db26-4215-acaf-11e2953a04e6
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- DeviceEvents
connectorId: MicrosoftThreatProtection
severity: Medium
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountSid
identifier: Sid
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: NTDomain
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- entityType: Process
fieldMappings:
- columnName: ProcessCommandLine
identifier: CommandLine
triggerThreshold: 0
relevantTechniques:
- T1559
- T1055
query: |
let timeframe=1h;
let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
DeviceEvents
| where Timestamp >= ago(timeframe)
| where ActionType == "NamedPipeEvent"
| extend AdditionalFields=parse_json(AdditionalFields)
| extend ThreadId=tostring(AdditionalFields.ThreadId)
| extend PipeName=tostring(AdditionalFields.PipeName)
// creating string based variants of the processIDs for matching several times later
| extend InitiatingPID=tostring(InitiatingProcessId)
| extend InitiatingParentPID=tostring(InitiatingProcessParentId)
// Begin allow-list.
// End allow-list.
| where PipeName has_any (CobaltStrikeDefaults) or
// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
(PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
(PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
(PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
(PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
(PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
// Based on a list of public mallable profiles and a suffix that is a random HEX string.
(PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
(PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")
kind: Scheduled
name: Suspicious named pipes
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml
description: |
This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
"properties": {
"alertRuleTemplateName": "ddf7c669-db26-4215-acaf-11e2953a04e6",
"customDetails": null,
"description": "This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.\n",
"displayName": "Suspicious named pipes",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml",
"query": "let timeframe=1h;\nlet CobaltStrikeDefaults= dynamic([@\"msagent_\", @\"MSSE-\", @\"postex_\", @\"status_\", @\"mypipe-f\", @\"mypipe-h\",@\"ntsvcs_\",@\"scerpc_\", @\"mojo.5688.8052.\"]);\nlet CobaltStrikeMallable= dynamic([@\"win_svc\", @\"ntsvcs\", @\"scerpc\", @\"status_\", @\"SearchTextHarvester\", @\"DserNamePipe\",@\"wkssvc_\",@\"scerpc_\", @\"spoolss_\",@\"CatalogChangeListener\",@\"fullduplex_\",@\"demoagent_\",@\"PGMessagePipe\",@\"MsFteWds\",@\"postex_ssh_\",@\"windows.update.manager\",@\"\\f4c3\",@\"\\f53f\",@\"halfduplex_\"]);\nDeviceEvents\n| where Timestamp >= ago(timeframe)\n| where ActionType == \"NamedPipeEvent\"\n| extend AdditionalFields=parse_json(AdditionalFields)\n| extend ThreadId=tostring(AdditionalFields.ThreadId)\n| extend PipeName=tostring(AdditionalFields.PipeName)\n// creating string based variants of the processIDs for matching several times later\n| extend InitiatingPID=tostring(InitiatingProcessId)\n| extend InitiatingParentPID=tostring(InitiatingProcessParentId)\n// Begin allow-list.\n// End allow-list.\n| where PipeName has_any (CobaltStrikeDefaults) or\n// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n (PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n (PipeName matches regex @\"\\\\(edge|chrome)\\.sync\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\(edge|chrome|edge\\.sync|chrome\\.sync)\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.\n (PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\\d+\\.\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.\n (PipeName matches regex @\"\\\\crashpad_\" and not(PipeName matches regex @\"\\\\crashpad_\\d+_[A-Z]+\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.\n (PipeName matches regex @\"\\\\cubeb-pipe-\" and not(PipeName matches regex @\"\\\\cubeb-pipe-\\d+_[0-9]{1-3}+\" or PipeName has InitiatingPID)) or\n// Based on a list of public mallable profiles and a suffix that is a random HEX string.\n (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @\"[a-fA-F0-9]{2,10}$\") or\n (PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{7,10}\" or PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{8}\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Execution"
],
"techniques": [
"T1055",
"T1559"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}