puas can be used in a legitimate manner. therefore, some of the named pipes identified and added may cause false positives. filter by process name or pipe name to reduce false positives.

Techniques

Sample rules

Windows PUA Named Pipe

source: splunk
technicques:
- T1559
- T1021.002
- T1055

Description

The following analytic detects the creation or connection to named pipes used by potentially unwanted applications (PUAs) like VPNs or utilities like PsExec. It leverages Sysmon EventCodes 17 and 18. If confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.

Detection logic

`sysmon`
(EventCode=17 OR EventCode=18)
NOT process_path IN (
  "*:\\Program Files \(x86\)\\Adobe*",
  "*:\\Program Files \(x86\)\\Google*",
  "*:\\Program Files \(x86\)\\Microsoft*",
  "*:\\Program Files\\Adobe*",
  "*:\\Program Files\\dotnet\\dotnet.exe",
  "*:\\Program Files\\Google*",
  "*:\\Program Files\\Microsoft*",
  "*:\\Windows\\system32\\SearchIndexer.exe",
  "*:\\Windows\\System32\\svchost.exe",
  "*:\\Windows\\SystemApps\\Microsoft*",
  "*\\Amazon\\SSM\\Instance*",
  "*\\AppData\\Local\\Google*",
  "*\\AppData\\Local\\Kingsoft\\*",
  "*\\AppData\\Local\\Microsoft*",
  "System"
)


| stats  min(_time) as firstTime max(_time) as lastTime
count by dest dvc process_exec process_guid process_id process_path signature signature_id 
vendor_product pipe_name user_id Image process_name


| lookup pua_named_pipes pua_pipe_name AS pipe_name OUTPUT tool, description

| where isnotnull(tool)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_pua_named_pipe_filter`