Suspicious named pipes

Back


Id	ddf7c669-db26-4215-acaf-11e2953a04e6
Rulename	Suspicious named pipes
Description	This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
Severity	Medium
Tactics	Execution DefenseEvasion
Techniques	T1559 T1055
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml
Version	1.0.0
Arm template	ddf7c669-db26-4215-acaf-11e2953a04e6.json

KQL

let timeframe=1h;
let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
DeviceEvents
| where Timestamp >= ago(timeframe)
| where ActionType == "NamedPipeEvent"
| extend AdditionalFields=parse_json(AdditionalFields)
| extend ThreadId=tostring(AdditionalFields.ThreadId)
| extend PipeName=tostring(AdditionalFields.PipeName)
// creating string based variants of the processIDs for matching several times later
| extend InitiatingPID=tostring(InitiatingProcessId)
| extend InitiatingParentPID=tostring(InitiatingProcessParentId)
// Begin allow-list.
// End allow-list.
| where PipeName has_any (CobaltStrikeDefaults) or
// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
      (PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
      (PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
      (PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
      (PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
      (PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
// Based on a list of public mallable profiles and a suffix that is a random HEX string.
      (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
      (PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")

YAML

name: Suspicious named pipes
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- Execution
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.0
triggerOperator: gt
description: |
    This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
query: |
  let timeframe=1h;
  let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
  let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
  DeviceEvents
  | where Timestamp >= ago(timeframe)
  | where ActionType == "NamedPipeEvent"
  | extend AdditionalFields=parse_json(AdditionalFields)
  | extend ThreadId=tostring(AdditionalFields.ThreadId)
  | extend PipeName=tostring(AdditionalFields.PipeName)
  // creating string based variants of the processIDs for matching several times later
  | extend InitiatingPID=tostring(InitiatingProcessId)
  | extend InitiatingParentPID=tostring(InitiatingProcessParentId)
  // Begin allow-list.
  // End allow-list.
  | where PipeName has_any (CobaltStrikeDefaults) or
  // Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
        (PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
  // Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
        (PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
  // PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
        (PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
  // Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
        (PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
  // Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
        (PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
  // Based on a list of public mallable profiles and a suffix that is a random HEX string.
        (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
        (PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")  
relevantTechniques:
- T1559
- T1055
id: ddf7c669-db26-4215-acaf-11e2953a04e6
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
      "properties": {
        "alertRuleTemplateName": "ddf7c669-db26-4215-acaf-11e2953a04e6",
        "customDetails": null,
        "description": "This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.\n",
        "displayName": "Suspicious named pipes",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml",
        "query": "let timeframe=1h;\nlet CobaltStrikeDefaults= dynamic([@\"msagent_\", @\"MSSE-\", @\"postex_\", @\"status_\", @\"mypipe-f\", @\"mypipe-h\",@\"ntsvcs_\",@\"scerpc_\", @\"mojo.5688.8052.\"]);\nlet CobaltStrikeMallable= dynamic([@\"win_svc\", @\"ntsvcs\", @\"scerpc\", @\"status_\", @\"SearchTextHarvester\", @\"DserNamePipe\",@\"wkssvc_\",@\"scerpc_\", @\"spoolss_\",@\"CatalogChangeListener\",@\"fullduplex_\",@\"demoagent_\",@\"PGMessagePipe\",@\"MsFteWds\",@\"postex_ssh_\",@\"windows.update.manager\",@\"\\f4c3\",@\"\\f53f\",@\"halfduplex_\"]);\nDeviceEvents\n| where Timestamp >= ago(timeframe)\n| where ActionType == \"NamedPipeEvent\"\n| extend AdditionalFields=parse_json(AdditionalFields)\n| extend ThreadId=tostring(AdditionalFields.ThreadId)\n| extend PipeName=tostring(AdditionalFields.PipeName)\n// creating string based variants of the processIDs for matching several times later\n| extend InitiatingPID=tostring(InitiatingProcessId)\n| extend InitiatingParentPID=tostring(InitiatingProcessParentId)\n// Begin allow-list.\n// End allow-list.\n| where PipeName has_any (CobaltStrikeDefaults) or\n// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n      (PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n      (PipeName matches regex @\"\\\\(edge|chrome)\\.sync\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\(edge|chrome|edge\\.sync|chrome\\.sync)\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.\n      (PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\\d+\\.\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.\n      (PipeName matches regex @\"\\\\crashpad_\" and not(PipeName matches regex @\"\\\\crashpad_\\d+_[A-Z]+\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.\n      (PipeName matches regex @\"\\\\cubeb-pipe-\" and not(PipeName matches regex @\"\\\\cubeb-pipe-\\d+_[0-9]{1-3}+\" or PipeName has InitiatingPID)) or\n// Based on a list of public mallable profiles and a suffix that is a random HEX string.\n      (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @\"[a-fA-F0-9]{2,10}$\") or\n      (PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{7,10}\" or PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{8}\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1055",
          "T1559"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}