Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon Aug 23Updated Thu Dec 21637f689e-b4a5-4a86-be0e-0100a0a33ba2windows
Log Source
WindowsNamed Pipe Created
ProductWindows← raw: windows
CategoryNamed Pipe Created← raw: pipe_created

Definition

Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        PipeName|contains:
            - '\pipe\'
            - '\pipe\srvsvc'  # more specific version (use only this one if the other causes too many false positives)
    filter_optional_ctx:
        PipeName|contains: '\CtxShare'
    filter_optional_default:
        PipeName|startswith: '\pipe\' # excludes pipes that start with \pipe\*
    condition: selection and not 1 of filter_optional_*
False Positives

\pipe\LOCAL\Monitorian

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
637f689e-b4a5-4a86-be0e-0100a0a33ba2
Status
test
Level
high
Type
Detection
Created
Mon Aug 23
Modified
Thu Dec 21
Author
Florian Roth (Nextron Systems)
Path
rules/windows/pipe_created/pipe_created_hktl_efspotato.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055
View on GitHub