false positives should be rare, investigate matches and apply additional filters as needed.

Techniques

Sample rules

Windows Suspicious C2 Named Pipe

source: splunk
technicques:
- T1559
- T1021.002
- T1055

Description

The following analytic detects the creation or connection to known suspicious C2 named pipes. It leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by C2 tools. If confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.

Detection logic

`sysmon`
(EventCode=17 OR EventCode=18)
NOT process_path IN (
  "*:\\Program Files \(x86\)\\Adobe*",
  "*:\\Program Files \(x86\)\\Google*",
  "*:\\Program Files \(x86\)\\Microsoft*",
  "*:\\Program Files\\Adobe*",
  "*:\\Program Files\\Google*",
  "*:\\Program Files\\Microsoft*",
  "*:\\Windows\\system32\\SearchIndexer.exe",
  "*:\\Windows\\System32\\svchost.exe",
  "*:\\Windows\\SystemApps\\Microsoft*",
  "*\\Amazon\\SSM\\Instance*",
  "*\\AppData\\Local\\Google*",
  "*\\AppData\\Local\\Kingsoft\\*",
  "*\\AppData\\Local\\Microsoft*",
  "System"
)


| stats  min(_time) as firstTime max(_time) as lastTime
count by dest dvc process_exec process_guid process_id process_path signature signature_id 
vendor_product pipe_name user_id Image process_name


| lookup suspicious_c2_named_pipes suspicious_pipe_name AS pipe_name OUTPUT tool, description

| where isnotnull(tool)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_c2_named_pipe_filter`

Windows Suspicious Named Pipe

source: splunk
technicques:
- T1559
- T1021.002
- T1055

Description

The following analytic detects the creation or connection to known suspicious named pipes. It leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by malicious or suspicious tools. If confirmed malicious, this could allow an attacker to abuse these to potentially gain privilege escalation, persistence, c2 communications, or further system compromise.

Detection logic

`sysmon`
EventCode IN (17, 18)
NOT process_path IN (
    "*:\\Program Files \(x86\)\\Adobe*",
    "*:\\Program Files \(x86\)\\Google*",
    "*:\\Program Files \(x86\)\\Microsoft*",
    "*:\\Program Files\\Adobe*",
    "*:\\Program Files\\Google*",
    "*:\\Program Files\\Microsoft*",
    "*:\\Windows\\system32\\SearchIndexer.exe",
    "*:\\Windows\\System32\\svchost.exe",
    "*:\\Windows\\SystemApps\\Microsoft*",
    "*\\Amazon\\SSM\\Instance*",
    "*\\AppData\\Local\\Google*",
    "*\\AppData\\Local\\Kingsoft\\*",
    "*\\AppData\\Local\\Microsoft*",
    "System",
)


| stats min(_time) as firstTime max(_time) as lastTime
  count by dest dvc process_exec process_guid process_id process_path
           pipe_name user_id process_name signature signature_id vendor_product


| lookup suspicious_named_pipes suspicious_pipe_name AS pipe_name OUTPUT tool, type, description

| where isnotnull(tool)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_named_pipe_filter`