Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Teymur Kheirkhabarov, oscd.communityCreated Fri Nov 01Updated Mon Aug 07961d0ba2-3eea-4303-a930-2cf78bbfcc5ewindows
Log Source
WindowsNamed Pipe Created
ProductWindows← raw: windows
CategoryNamed Pipe Created← raw: pipe_created

Definition

Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

Detection Logic
Detection Logic1 selector
detection:
    selection:
        PipeName|contains:
            - '\cachedump'
            - '\lsadump'
            - '\wceservicepipe'
    condition: selection
False Positives

Legitimate Administrator using tool for password recovery

References
1
Resolving title…
slideshare.net
2
Resolving title…
image.slidesharecdn.com
MITRE ATT&CK
Rule Metadata
Rule ID
961d0ba2-3eea-4303-a930-2cf78bbfcc5e
Status
test
Level
critical
Type
Detection
Created
Fri Nov 01
Modified
Mon Aug 07
Author
Teymur Kheirkhabarov, oscd.community
Path
rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml
Raw Tags
attack.credential-accessattack.t1003.001attack.t1003.002attack.t1003.004attack.t1003.005
View on GitHub