Techniques
Sample rules
First Time Seen Remote Named Pipe - Zeek
- source: sigma
- technicques:
- t1021
- t1021.002
Description
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Detection logic
condition: selection and not 1 of filter_*
filter_keywords:
- samr
- lsarpc
- winreg
- netlogon
- srvsvc
- protected_storage
- wkssvc
- browser
- netdfs
- svcctl
- spoolss
- ntsvcs
- LSM_API_service
- HydraLsPipe
- TermSrv_API_service
- MsFteWds
selection:
path: \\\\\*\\IPC$
First Time Seen Remote Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
Description
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Detection logic
condition: selection1 and not false_positives
false_positives:
RelativeTargetName:
- atsvc
- samr
- lsarpc
- lsass
- winreg
- netlogon
- srvsvc
- protected_storage
- wkssvc
- browser
- netdfs
- svcctl
- spoolss
- ntsvcs
- LSM_API_service
- HydraLsPipe
- TermSrv_API_service
- MsFteWds
- sql\query
- eventlog
selection1:
EventID: 5145
ShareName: \\\\\*\\IPC$