Techniques
Sample rules
Privilege Escalation via Named Pipe Impersonation
- source: sigma
- technicques:
- t1021
Description
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Detection logic
condition: all of selection*
selection_args:
CommandLine|contains|all:
- echo
- '>'
- \\\\.\\pipe\\
selection_name:
- Image|endswith:
- \cmd.exe
- \powershell.exe
- OriginalFileName:
- Cmd.Exe
- PowerShell.EXE