title: Malicious Named Pipe
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: experimental
description: Detects the creation of a named pipe used by known APT malware
references:
    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
    - https://securelist.com/faq-the-projectsauron-apt/75533/
    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://github.com/RiccardoAncarani/LiquidSnake
    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
date: 2017/11/06
modified: 2022/03/15
author: Florian Roth, blueteam0ps, elhoim
logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
   selection:
      PipeName: 
         - '\isapi_http'  # Uroburos Malware
         - '\isapi_dg'  # Uroburos Malware 
         - '\isapi_dg2'  # Uroburos Malware
         - '\sdlrpc'  # Cobra Trojan
         - '\ahexec'  # Sofacy group malware
         - '\winsession'  # Wild Neutron APT malware 
         - '\lsassw'  # Wild Neutron APT malware 
         - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron 
         - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
         - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron 
         - '\rpchlp_3'  # Project Sauron 
         - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves 
         - '\pcheap_reuse'  # Pipe used by Equation Group malware
         - '\gruntsvc' # Covenant default 
         # - '\status_*' # CS default  https://github.com/Neo23x0/sigma/issues/253
         - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware 
         - '\bizkaz'  # Snatch Ransomware 
         - '\svcctl' #Crackmapexec smbexec default 
         - '\Posh*' #PoshC2 default 
         - '\jaccdpqnvbrrxlaf' #PoshC2 default 
         - '\csexecsvc' #CSEXEC default
         - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake 
         - '\adschemerpc'  # Turla HyperStack 
         - '\AnonymousPipe'  # Hidden Cobra Hoplight
         - '\bc367'  # Pacifier 
         - '\bc31a7'  # Pacifier 
         - '\testPipe'  # Emissary Panda Hyperbro 
         - '\dce_3d' #Qbot
   condition: selection
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
falsepositives:
   - Unknown
level: critical