Detectionhightest

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir Bousseaden, Tim SheltonCreated Thu Apr 02Updated Tue Dec 27021310d9-30a6-480a-84b7-eaa69aeb92bbnetwork

Log Source

Zeek (Bro)smb_files

ProductZeek (Bro)← raw: zeek

Servicesmb_files← raw: smb_files

Detection Logic

detection:
    selection:
        path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
    filter_keywords:
        - 'samr'
        - 'lsarpc'
        - 'winreg'
        - 'netlogon'
        - 'srvsvc'
        - 'protected_storage'
        - 'wkssvc'
        - 'browser'
        - 'netdfs'
        - 'svcctl'
        - 'spoolss'
        - 'ntsvcs'
        - 'LSM_API_service'
        - 'HydraLsPipe'
        - 'TermSrv_API_service'
        - 'MsFteWds'
    condition: selection and not 1 of filter_*

False Positives

Update the excluded named pipe to filter out any newly observed legit named pipe

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Related Rules

DerivedDetectionhigh

First Time Seen Remote Named Pipe

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

021310d9-30a6-480a-84b7-eaa69aeb92bb

Status

test

Level

high

Type

Detection

Created

Thu Apr 02

Modified

Tue Dec 27

Author

Samir Bousseaden, Tim Shelton

Path

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

Raw Tags

attack.lateral-movementattack.t1021.002

View on GitHub