@@ -12,17 +12,30 @@ description: The following analytic detects the creation or connection to
1212 this could allow an attacker to abuse these to potentially gain privilege escalation,
1313 persistence, c2 communications, or further system compromise.
1414data_source :
15- - Sysmon EventID 17
16- - Sysmon EventID 18
17- search : ' `sysmon` EventCode=17 OR EventCode=18 AND NOT Image IN (
18- "System","*System32\\svchost.exe","*Program Files*\\Microsoft*","*Program Files*\\Google*",
19- "*AppData\\Local\\Microsoft*","*AppData\\Local\\Google*","*AppData\\Local\\Kingsoft\\*",
20- "*\\Windows\\system32\\SearchIndexer.exe","*\\WINDOWS\\SystemApps\\Microsoft*",
21- "*Program Files\\dotnet\\dotnet.exe","*Program Files*\\Adobe*","*Amazon\\SSM\\Instance*"
15+ - Sysmon EventID 17
16+ - Sysmon EventID 18
17+ search : |
18+ `sysmon`
19+ EventCode IN (17, 18)
20+ NOT Image IN (
21+ "*:\\Program Files*\\Adobe*",
22+ "*:\\Program Files*\\Google*",
23+ "*:\\Program Files*\\Microsoft*",
24+ "*:\\Program Files\\dotnet\\dotnet.exe",
25+ "*:\\Windows\\system32\\SearchIndexer.exe",
26+ "*:\\Windows\\System32\\svchost.exe",
27+ "*:\\Windows\\SystemApps\\Microsoft*",
28+ "*\\Amazon\\SSM\\Instance*",
29+ "*\\AppData\\Local\\Google*",
30+ "*\\AppData\\Local\\Kingsoft\\*",
31+ "*\\AppData\\Local\\Microsoft*",
32+ "System",
2233 )
23- | stats min(_time) as firstTime max(_time) as lastTime
24- count by dest dvc process_exec process_guid process_id process_path signature signature_id
25- vendor_product pipe_name user_id Image process_name
34+
35+ | stats min(_time) as firstTime max(_time) as lastTime
36+ count by dest dvc process_exec process_guid process_id process_path
37+ pipe_name user_id process_name signature signature_id vendor_product
38+
2639 | lookup suspicious_named_pipes suspicious_pipe_name AS pipe_name OUTPUT tool, type, description
2740 | where isnotnull(tool) | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
2841 | `windows_suspicious_pua_named_pipe_filter`'
@@ -33,56 +46,56 @@ known_false_positives: Some named pipes will attempt to blend
3346 in. Therefore, some of the named pipes identified and added may cause false positives.
3447 Filter by process name or pipe name to reduce false positives.
3548references :
36- - https://attack.mitre.org/techniques/T1218/009/
37- - https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes
49+ - https://attack.mitre.org/techniques/T1218/009/
50+ - https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes
3851drilldown_searches :
39- - name : View the detection results for - "$dest$"
40- search : ' %original_detection_search% | search dest = "$dest$"'
41- earliest_offset : $info_min_time$
42- latest_offset : $info_max_time$
43- - name : View risk events for the last 7 days for - "$dest$"
44- search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
45- starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
46- values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
47- as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
48- as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
49- | `security_content_ctime(lastTime)`'
50- earliest_offset : $info_min_time$
51- latest_offset : $info_max_time$
52+ - name : View the detection results for - "$dest$"
53+ search : ' %original_detection_search% | search dest = "$dest$"'
54+ earliest_offset : $info_min_time$
55+ latest_offset : $info_max_time$
56+ - name : View risk events for the last 7 days for - "$dest$"
57+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
58+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
59+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
60+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
61+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
62+ | `security_content_ctime(lastTime)`'
63+ earliest_offset : $info_min_time$
64+ latest_offset : $info_max_time$
5265rba :
53- message : An instance of $process_name$ was identified on endpoint $dest$ accessing
54- known suspicious named pipes.
66+ message : An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing
67+ known suspicious named pipes $pipe_name$ .
5568 risk_objects :
5669 - field : dest
5770 type : system
5871 score : 32
5972 threat_objects :
60- - field : process_name
61- type : process_name
73+ - field : process_name
74+ type : process_name
6275tags :
6376 analytic_story :
64- - Trickbot
65- - DarkSide Ransomware
66- - Cobalt Strike
67- - BlackByte Ransomware
68- - Graceful Wipe Out Attack
69- - LockBit Ransomware
70- - Gozi Malware
71- - APT37 Rustonotto and FadeStealer
72- - Hellcat Ransomware
73- - Meterpreter
74- - Brute Ratel C4
75- - Remote Monitoring and Management Software
76- - Tuoni
77+ - Trickbot
78+ - DarkSide Ransomware
79+ - Cobalt Strike
80+ - BlackByte Ransomware
81+ - Graceful Wipe Out Attack
82+ - LockBit Ransomware
83+ - Gozi Malware
84+ - APT37 Rustonotto and FadeStealer
85+ - Hellcat Ransomware
86+ - Meterpreter
87+ - Brute Ratel C4
88+ - Remote Monitoring and Management Software
89+ - Tuoni
7790 asset_type : Endpoint
7891 mitre_attack_id :
79- - T1559
80- - T1021.002
81- - T1055
92+ - T1559
93+ - T1021.002
94+ - T1055
8295 product :
83- - Splunk Enterprise
84- - Splunk Enterprise Security
85- - Splunk Cloud
96+ - Splunk Enterprise
97+ - Splunk Enterprise Security
98+ - Splunk Cloud
8699 security_domain : endpoint
87100tests :
88101- name : True Positive Test
0 commit comments