Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

First Time Seen Remote Named Pipe

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Samir BousseadenCreated Wed Apr 03Updated Tue Mar 1452d8b0c6-53d6-439a-9e41-52ad442ad9adwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure

Detection Logic
Detection Logic2 selectors
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
    false_positives:
        RelativeTargetName:
            - 'atsvc'
            - 'samr'
            - 'lsarpc'
            - 'lsass'
            - 'winreg'
            - 'netlogon'
            - 'srvsvc'
            - 'protected_storage'
            - 'wkssvc'
            - 'browser'
            - 'netdfs'
            - 'svcctl'
            - 'spoolss'
            - 'ntsvcs'
            - 'LSM_API_service'
            - 'HydraLsPipe'
            - 'TermSrv_API_service'
            - 'MsFteWds'
            - 'sql\query'
            - 'eventlog'
    condition: selection1 and not false_positives
False Positives

Update the excluded named pipe to filter out any newly observed legit named pipe

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
52d8b0c6-53d6-439a-9e41-52ad442ad9ad
Status
test
Level
high
Type
Detection
Created
Wed Apr 03
Modified
Tue Mar 14
Author
Samir Bousseaden
Path
rules/windows/builtin/security/win_security_lm_namedpipe.yml
Raw Tags
attack.lateral-movementattack.t1021.002
View on GitHub