Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Privilege Escalation via Named Pipe Impersonation

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Rauch, Elastic SecurityCreated Tue Sep 27Updated Fri Dec 309bd04a79-dabe-4f1f-a5ff-92430265c96bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_name:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
    selection_args:
        CommandLine|contains|all:
            - 'echo'
            - '>'
            - '\\\\.\\pipe\\'
    condition: all of selection*
False Positives

Other programs that cause these patterns (please report)

References
1
Resolving title…
elastic.co
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
9bd04a79-dabe-4f1f-a5ff-92430265c96b
Status
test
Level
high
Type
Detection
Created
Tue Sep 27
Modified
Fri Dec 30
Author
Tim Rauch, Elastic Security
Path
rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml
Raw Tags
attack.lateral-movementattack.t1021
View on GitHub