@@ -5,89 +5,104 @@ date: '2025-12-01'
55author : Raven Tait, Splunk
66status : production
77type : TTP
8- description : The following analytic detects the creation or connection to
9- known suspicious named pipes, which is a technique often used by offensive
10- tools. It leverages Sysmon EventCodes 17 and 18 to identify
11- known default pipe names used by these tools. If confirmed malicious,
12- this could allow an attacker to abuse these to potentially gain privilege escalation,
8+ description : |
9+ The following analytic detects the creation or connection to a known suspicious named pipe.
10+ It leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by these attacker or malicious tools.
11+ If confirmed malicious, this could allow an attacker to abuse these to potentially gain privilege escalation,
1312 persistence, c2 communications, or further system compromise.
1413data_source :
15- - Sysmon EventID 17
16- - Sysmon EventID 18
17- search : ' `sysmon` EventCode=17 OR EventCode=18 AND NOT Image IN (
18- "System","*System32\\svchost.exe","*Program Files*\\Microsoft*","*Program Files*\\Google*",
19- "*AppData\\Local\\Microsoft*","*AppData\\Local\\Google*","*AppData\\Local\\Kingsoft\\*",
20- "*\\Windows\\system32\\SearchIndexer.exe","*\\WINDOWS\\SystemApps\\Microsoft*",
21- "*Program Files\\dotnet\\dotnet.exe","*Program Files*\\Adobe*","*Amazon\\SSM\\Instance*"
14+ - Sysmon EventID 17
15+ - Sysmon EventID 18
16+ search : |
17+ `sysmon`
18+ EventCode IN (17, 18)
19+ NOT Image IN (
20+ "*:\\Program Files*\\Adobe*",
21+ "*:\\Program Files*\\Google*",
22+ "*:\\Program Files*\\Microsoft*",
23+ "*:\\Program Files\\dotnet\\dotnet.exe",
24+ "*:\\Windows\\system32\\SearchIndexer.exe",
25+ "*:\\Windows\\System32\\svchost.exe",
26+ "*:\\Windows\\SystemApps\\Microsoft*",
27+ "*\\Amazon\\SSM\\Instance*",
28+ "*\\AppData\\Local\\Google*",
29+ "*\\AppData\\Local\\Kingsoft\\*",
30+ "*\\AppData\\Local\\Microsoft*",
31+ "System",
2232 )
23- | stats min(_time) as firstTime max(_time) as lastTime
24- count by dest dvc process_exec process_guid process_id process_path signature signature_id
25- vendor_product pipe_name user_id Image process_name
33+
34+ | stats min(_time) as firstTime max(_time) as lastTime
35+ count by dest dvc process_exec process_guid process_id process_path
36+ pipe_name user_id process_name signature signature_id vendor_product
37+
2638 | lookup suspicious_named_pipes suspicious_pipe_name AS pipe_name OUTPUT tool, type, description
27- | where isnotnull(tool) | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
28- | `windows_suspicious_named_pipe_filter`'
29- how_to_implement : To successfully implement this search, you need to be ingesting
30- logs with the process name and pipename from your endpoints. If you are using Sysmon,
31- you must have at least version 6.0.4 of the Sysmon TA.
32- known_false_positives : Some named pipes will attempt to blend
33- in. Therefore, some of the named pipes identified and added may cause false positives.
39+ | where isnotnull(tool)
40+ | `security_content_ctime(firstTime)`
41+ | `security_content_ctime(lastTime)`
42+ | `windows_suspicious_named_pipe_filter`
43+ how_to_implement : |
44+ To successfully implement this search, you need to be ingesting
45+ logs with the process name and pipename from your endpoints.
46+ If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
47+ known_false_positives : |
48+ Some named pipes will attempt to blend in.
49+ Therefore, some of the named pipes identified and added may cause false positives.
3450 Filter by process name or pipe name to reduce false positives.
3551references :
36- - https://attack.mitre.org/techniques/T1218/009/
37- - https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes
52+ - https://attack.mitre.org/techniques/T1218/009/
53+ - https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes
3854drilldown_searches :
39- - name : View the detection results for - "$dest$"
40- search : ' %original_detection_search% | search dest = "$dest$"'
41- earliest_offset : $info_min_time$
42- latest_offset : $info_max_time$
43- - name : View risk events for the last 7 days for - "$dest$"
44- search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
45- starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
46- values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
47- as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
48- as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
49- | `security_content_ctime(lastTime)`'
50- earliest_offset : $info_min_time$
51- latest_offset : $info_max_time$
55+ - name : View the detection results for - "$dest$"
56+ search : ' %original_detection_search% | search dest = "$dest$"'
57+ earliest_offset : $info_min_time$
58+ latest_offset : $info_max_time$
59+ - name : View risk events for the last 7 days for - "$dest$"
60+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
61+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
62+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
63+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
64+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
65+ | `security_content_ctime(lastTime)`'
66+ earliest_offset : $info_min_time$
67+ latest_offset : $info_max_time$
5268rba :
53- message : An instance of $process_name$ was identified on endpoint $dest$ accessing
54- known suspicious named pipes.
69+ message : An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing
70+ known suspicious named pipes $pipe_name$ .
5571 risk_objects :
56- - field : dest
57- type : system
58- score : 72
72+ - field : dest
73+ type : system
74+ score : 72
5975 threat_objects :
60- - field : process_name
61- type : process_name
76+ - field : process_name
77+ type : process_name
6278tags :
6379 analytic_story :
64- - Trickbot
65- - DarkSide Ransomware
66- - Cobalt Strike
67- - BlackByte Ransomware
68- - Graceful Wipe Out Attack
69- - LockBit Ransomware
70- - Gozi Malware
71- - APT37 Rustonotto and FadeStealer
72- - Hellcat Ransomware
73- - Meterpreter
74- - Brute Ratel C4
75- - Remote Monitoring and Management Software
76- - Tuoni
80+ - Trickbot
81+ - DarkSide Ransomware
82+ - Cobalt Strike
83+ - BlackByte Ransomware
84+ - Graceful Wipe Out Attack
85+ - LockBit Ransomware
86+ - Gozi Malware
87+ - APT37 Rustonotto and FadeStealer
88+ - Hellcat Ransomware
89+ - Meterpreter
90+ - Brute Ratel C4
91+ - Remote Monitoring and Management Software
92+ - Tuoni
7793 asset_type : Endpoint
7894 mitre_attack_id :
79- - T1559
80- - T1021.002
81- - T1055
95+ - T1559
96+ - T1021.002
97+ - T1055
8298 product :
83- - Splunk Enterprise
84- - Splunk Enterprise Security
85- - Splunk Cloud
99+ - Splunk Enterprise
100+ - Splunk Enterprise Security
101+ - Splunk Cloud
86102 security_domain : endpoint
87103tests :
88- - name : True Positive Test
89- attack_data :
90- - data : https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log
91- source : XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
92- sourcetype : XmlWinEventLog
93-
104+ - name : True Positive Test
105+ attack_data :
106+ - data : https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log
107+ source : XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
108+ sourcetype : XmlWinEventLog
0 commit comments