Rule Library

Sigma Rules

19 rules found

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

ADFS Database Named Pipe Connection By Uncommon Tool

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

WindowsNamed Pipe Created

TA0009 · CollectionT1005 · Data from Local System

Roberto Rodriguez (Cyb3rWard0g)Fri Oct 08windows

Detectioncriticaltest

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)+1Tue May 25windows

Detectioncriticaltest

CobaltStrike Named Pipe Pattern Regex

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)Fri Jul 30windows

Detectionhightest

CobaltStrike Named Pipe Patterns

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectionstp.1k

Florian Roth (Nextron Systems)+1Fri Jul 30windows

Detectionhightest

HackTool - CoercedPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)Wed Oct 11windows

Detectioncriticaltest

HackTool - DiagTrackEoP Default Named Pipe

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

WindowsNamed Pipe Created

TA0004 · Privilege Escalation

Nasreddine Bencherchali (Nextron Systems)Wed Aug 03windows

Detectionhightest

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)Mon Aug 23windows

Detectioncriticaltest

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

WindowsNamed Pipe Created

TA0006 · Credential AccessT1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1003.004 · LSA Secrets+1

Teymur Kheirkhabarov+1Fri Nov 01windows

Detectioncriticaltest

HackTool - Koh Default Named Pipe

Detects creation of default named pipes used by the Koh tool

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationTA0006 · Credential AccessT1528 · Steal Application Access Token+1

Nasreddine Bencherchali (Nextron Systems)Fri Jul 08windows

Detectionmediumtest

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

WindowsNamed Pipe Created

TA0002 · ExecutionT1059.001 · PowerShell

Roberto Rodriguez (Cyb3rWard0g)+1Thu Sep 12windows

Detectioninformationaltest

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

WindowsNamed Pipe Created

TA0002 · ExecutionT1059.001 · PowerShell

Roberto Rodriguez (Cyb3rWard0g)+1Thu Sep 12windows

Detectionmediumtest

PUA - CSExec Default Named Pipe

Detects default CSExec pipe creation

WindowsNamed Pipe Created

TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesTA0002 · ExecutionT1569.002 · Service Execution

Nikita Nazarov+2Mon Aug 07windows

Detectionmediumtest

PUA - PAExec Default Named Pipe

Detects PAExec default named pipe

WindowsNamed Pipe Created

TA0002 · ExecutionT1569.002 · Service Execution

Nasreddine Bencherchali (Nextron Systems)Wed Oct 26windows

Detectionmediumtest

PUA - RemCom Default Named Pipe

Detects default RemCom pipe creation

WindowsNamed Pipe Created

TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesTA0002 · ExecutionT1569.002 · Service Execution

Nikita Nazarov+2Mon Aug 07windows

Detectionmediumtest

WMI Event Consumer Created Named Pipe

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

WindowsNamed Pipe Created

T1047 · Windows Management InstrumentationTA0002 · Execution

Florian Roth (Nextron Systems)Wed Sep 01windows

Detectioncriticaltest

Malicious Named Pipe Created

Detects the creation of a named pipe seen used by known APTs or malware.

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)+2Mon Nov 06windows

Detectionmediumtest

PsExec Tool Execution From Suspicious Locations - PipeName

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

WindowsNamed Pipe Created

TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029

Nasreddine Bencherchali (Nextron Systems)Thu Aug 04windows

Emerging Threatcriticaltest

Turla Group Named Pipes

Detects a named pipe used by Turla group samples

WindowsNamed Pipe Created

G0010 · G0010TA0002 · ExecutionT1106 · Native APIdetection.emerging-threats

Markus NeisMon Nov 062017

Threat Huntlowtest

PsExec Default Named Pipe

Detects PsExec service default pipe creation

WindowsNamed Pipe Created

TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029detection.threat-hunting

Thomas PatzkeMon Jun 12windows