Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious named pipes

Back
Idddf7c669-db26-4215-acaf-11e2953a04e6
RulenameSuspicious named pipes
DescriptionThis query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1559
T1055
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml
Version1.0.0
Arm templateddf7c669-db26-4215-acaf-11e2953a04e6.json
Deploy To Azure
let timeframe=1h;
let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
DeviceEvents
| where Timestamp >= ago(timeframe)
| where ActionType == "NamedPipeEvent"
| extend AdditionalFields=parse_json(AdditionalFields)
| extend ThreadId=tostring(AdditionalFields.ThreadId)
| extend PipeName=tostring(AdditionalFields.PipeName)
// creating string based variants of the processIDs for matching several times later
| extend InitiatingPID=tostring(InitiatingProcessId)
| extend InitiatingParentPID=tostring(InitiatingProcessParentId)
// Begin allow-list.
// End allow-list.
| where PipeName has_any (CobaltStrikeDefaults) or
// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
      (PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
      (PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
      (PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
      (PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
      (PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
// Based on a list of public mallable profiles and a suffix that is a random HEX string.
      (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
      (PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1559
- T1055
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 1h
tactics:
- Execution
- DefenseEvasion
severity: Medium
triggerOperator: gt
description: |
    This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
query: |
  let timeframe=1h;
  let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]);
  let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]);
  DeviceEvents
  | where Timestamp >= ago(timeframe)
  | where ActionType == "NamedPipeEvent"
  | extend AdditionalFields=parse_json(AdditionalFields)
  | extend ThreadId=tostring(AdditionalFields.ThreadId)
  | extend PipeName=tostring(AdditionalFields.PipeName)
  // creating string based variants of the processIDs for matching several times later
  | extend InitiatingPID=tostring(InitiatingProcessId)
  | extend InitiatingParentPID=tostring(InitiatingProcessParentId)
  // Begin allow-list.
  // End allow-list.
  | where PipeName has_any (CobaltStrikeDefaults) or
  // Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
        (PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
  // Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.
        (PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or
  // PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.
        (PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
  // Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.
        (PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or
  // Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.
        (PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or
  // Based on a list of public mallable profiles and a suffix that is a random HEX string.
        (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}$") or
        (PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}")  
name: Suspicious named pipes
version: 1.0.0
id: ddf7c669-db26-4215-acaf-11e2953a04e6
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ddf7c669-db26-4215-acaf-11e2953a04e6')]",
      "properties": {
        "alertRuleTemplateName": "ddf7c669-db26-4215-acaf-11e2953a04e6",
        "customDetails": null,
        "description": "This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.\n",
        "displayName": "Suspicious named pipes",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousNamedPipes.yaml",
        "query": "let timeframe=1h;\nlet CobaltStrikeDefaults= dynamic([@\"msagent_\", @\"MSSE-\", @\"postex_\", @\"status_\", @\"mypipe-f\", @\"mypipe-h\",@\"ntsvcs_\",@\"scerpc_\", @\"mojo.5688.8052.\"]);\nlet CobaltStrikeMallable= dynamic([@\"win_svc\", @\"ntsvcs\", @\"scerpc\", @\"status_\", @\"SearchTextHarvester\", @\"DserNamePipe\",@\"wkssvc_\",@\"scerpc_\", @\"spoolss_\",@\"CatalogChangeListener\",@\"fullduplex_\",@\"demoagent_\",@\"PGMessagePipe\",@\"MsFteWds\",@\"postex_ssh_\",@\"windows.update.manager\",@\"\\f4c3\",@\"\\f53f\",@\"halfduplex_\"]);\nDeviceEvents\n| where Timestamp >= ago(timeframe)\n| where ActionType == \"NamedPipeEvent\"\n| extend AdditionalFields=parse_json(AdditionalFields)\n| extend ThreadId=tostring(AdditionalFields.ThreadId)\n| extend PipeName=tostring(AdditionalFields.PipeName)\n// creating string based variants of the processIDs for matching several times later\n| extend InitiatingPID=tostring(InitiatingProcessId)\n| extend InitiatingParentPID=tostring(InitiatingProcessParentId)\n// Begin allow-list.\n// End allow-list.\n| where PipeName has_any (CobaltStrikeDefaults) or\n// Mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n      (PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\mojo\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// Chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex.\n      (PipeName matches regex @\"\\\\(edge|chrome)\\.sync\\.\\d+\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\(edge|chrome|edge\\.sync|chrome\\.sync)\\.\\d+\\.\\d+\\.\\d+$\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or\n// PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId.\n      (PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\" and not(PipeName matches regex @\"\\\\PSHost\\.\\d+\\.\\d+\\.\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters.\n      (PipeName matches regex @\"\\\\crashpad_\" and not(PipeName matches regex @\"\\\\crashpad_\\d+_[A-Z]+\" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or\n// Firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe.\n      (PipeName matches regex @\"\\\\cubeb-pipe-\" and not(PipeName matches regex @\"\\\\cubeb-pipe-\\d+_[0-9]{1-3}+\" or PipeName has InitiatingPID)) or\n// Based on a list of public mallable profiles and a suffix that is a random HEX string.\n      (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @\"[a-fA-F0-9]{2,10}$\") or\n      (PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{7,10}\" or PipeName matches regex @\"\\\\pipe\\\\[0-9a-f]{8}\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1055",
          "T1559"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}