- title: Malicious Named Pipe
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: experimental
description: Detects the creation of a named pipe used by known APT malware
references:
- Various sources
date: 2017/11/06
author: Florian Roth
logsource:
product: windows
service: sysmon
definition: Note that you have to configure logging for PipeEvents in Symson config
category: null
detection:
selection:
EventID:
- 17
- 18
PipeName:
- \isapi_http
- \isapi_dg
- \isapi_dg2
- \sdlrpc
- \ahexec
- \winsession
- \lsassw
- \46a676ab7f179e511e30dd2dc41bd388
- \9f81f59bc58452127884ce513865ed20
- \e710f28d59aa529d6792ca6ff0ca1b34
- \rpchlp_3
- \NamePipe_MoreWindows
- \pcheap_reuse
- \msagent_*
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
falsepositives:
- Unkown
level: critical
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(event_id:("17" OR "18") AND pipe_name.keyword:(\\isapi_http OR \\isapi_dg OR \\isapi_dg2 OR \\sdlrpc OR \\ahexec OR \\winsession OR \\lsassw OR \\46a676ab7f179e511e30dd2dc41bd388 OR \\9f81f59bc58452127884ce513865ed20 OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\rpchlp_3 OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\msagent_*))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()