named-pipe-pivoting-opsec

# tl;dr When using SMB pipe pivoting, I always wondered whether my custom SMB pipe name would get picked up in Sysmon `Event ID 17` and `Event ID 18` as a known IoC. I've found no centralized source for that, so I have compiled rules from several sources in a single simple Python script, `iocpipe.py`. Available on Github [gists](https://gist.github.com/zimnyaa/57f744491192141c6c20b25bf842cbe9). Usage example: ![[Pasted image 20220217130055.png]] > **note:** Named Pipe Creation is also heavily utilized when hunting for privesc (specifically rogue named pipe impersonation), lsass/secret dumping, information gathering, etc. This post only focuses on pivoting detections. # SigmaHQ > **note:** rules grabbed from https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created SigmaHQ has several rules regarding named pipes. The simples ones relate to known Cobalt Strike and default PSEXEC pipes: ```yml # PSEXEC detection: selection: PipeName|startswith: - 'psexec' - 'paexec' - 'remcom' - 'csexec' condition: selection ``` ```yml # Cobalt Strike detection: selection_MSSE: PipeName|contains|all: - '\MSSE-' - '-server' selection_postex: PipeName|startswith: '\postex_' selection_postex_ssh: PipeName|startswith: '\postex_ssh_' selection_status: PipeName|startswith: '\status_' selection_msagent: PipeName|startswith: '\msagent_' condition: 1 of selection* ``` More advanced rules include definitions for various known malware samples and C2 frameworks: ```yml detection: selection: PipeName: - '\isapi_http' # Uroburos Malware - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware - '\sdlrpc' # Cobra Trojan - '\ahexec' # Sofacy group malware - '\winsession' # Wild Neutron APT malware - '\lsassw' # Wild Neutron APT malware - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron - '\9f81f59bc58452127884ce513865ed20' # Project Sauron - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron - '\rpchlp_3' # Project Sauron - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves - '\pcheap_reuse' # Pipe used by Equation Group malware - '\gruntsvc' # Covenant default # - '\status_*' # CS default https://github.com/Neo23x0/sigma/issues/253 - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware - '\bizkaz' # Snatch Ransomware - '\svcctl' #Crackmapexec smbexec default - '\Posh*' #PoshC2 default - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake - '\adschemerpc' # Turla HyperStack - '\AnonymousPipe' # Hidden Cobra Hoplight - '\bc367' # Pacifier - '\bc31a7' # Pacifier - '\testPipe' # Emissary Panda Hyperbro condition: selection ``` ```yml # Cobalt Strike malleable profiles detection: selection_malleable_profiles: - PipeName|startswith: - '\mojo.5688.8052.183894939787088877' - '\mojo.5688.8052.35780273329370473' - '\mypipe-f' - '\mypipe-h' - '\ntsvcs' - '\scerpc' - '\win_svc' - '\spoolss' - '\msrpc_' - '\win\msrpc_' - '\wkssvc' - '\f53f' - '\windows.update.manager' - '\SearchTextHarvester' - '\DserNamePipe' - '\PGMessagePipe' - '\MsFteWds' - '\f4c3' - '\fullduplex_' - '\rpc_' - PipeName: - '\demoagent_11' - '\demoagent_22' selection_malleable_profile_CatalogChangeListener: PipeName|startswith: '\Winsock2\CatalogChangeListener-' PipeName|endswith: '-0,' filter: PipeName: - '\wkssvc' - '\spoolss' - '\scerpc' - '\ntsvcs' - '\SearchTextHarvester' - '\PGMessagePipe' - '\MsFteWds' condition: 1 of selection_malleable_profile* and not filter ``` Several regex rules are also provided for malleable profiles: ```yml detection: selection: - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' - PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}' - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' - PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}' - PipeName|re: '\\\\MsFteWds[0-9a-f]{2}' - PipeName|re: '\\\\f4c3[0-9a-f]{2}' - PipeName|re: '\\\\fullduplex_[0-9a-f]{2}' - PipeName|re: '\\\\msrpc_[0-9a-f]{4}' - PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}' - PipeName|re: '\\\\f53f[0-9a-f]{2}' - PipeName|re: '\\\\rpc_[0-9a-f]{2}' - PipeName|re: '\\\\spoolss_[0-9a-f]{2}' - PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection ``` # Azure-Sentinel > **note:** rules grabbed from https://github.com/Azure/Azure-Sentinel Azure Sentinel is simpler, and contains a known bad list: ```js let badPipeNames = pack_array( '\\psexec', // PSexec default pipe '\\paexec', // PSexec default pipe '\\remcom', // PSexec default pipe '\\csexec', // PSexec default pipe '\\isapi_http', // Uroburos Malware Named Pipe '\\isapi_dg', // Uroburos Malware Named Pipe '\\isapi_dg2', // Uroburos Malware Named Pipe '\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX '\\ahexec', // Sofacy group malware '\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ '\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ '\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A '\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A '\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A '\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input '\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A '\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 '\\gruntsvc', // Covenant default named pipe '\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html '\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ '\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection '\\userpipe', // ruag apt case '\\iehelper', // ruag apt case '\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra '\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra '\\lsadump', // Cred Dump-Tools Named Pipes '\\cachedump', // Cred Dump-Tools Named Pipes '\\wceservicepipe', // Cred Dump-Tools Named Pipes '\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe '\\svcctl', // CrackMapExec default named pipe '\\csexecsvc' // CSEXEC default named pipe '\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253 '\\MSSE-', // CobaltStrike default named pipe '\\status_', // CobaltStrike default named pipe '\\msagent_', // (target) CobaltStrike default named pipe '\\postex_ssh_', // CobaltStrike default named pipe '\\postex_', // CobaltStrike default named pipe '\\Posh' // PoshC2 default named pipe ); ``` # Splunk > **note:** rules grabbed from https://research.splunk.com/endpoint/cobalt_strike_named_pipes/ Splunk rules for SMB pipe pivoting do not contain anything new: ```j `sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\wkssvc*, \\DserNamePipe*, \\srvsvc_*, \\mojo.*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, process_id process_path, PipeName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter` ``` # FalconForce > **note:** rules grabbed from https://github.com/FalconForceTeam/FalconFriday/blob/137420b50406ee13cf588e5190a6b0062de4d41f/Execution/T1559-WIN-001.md FalconForce rules are more advanced, and even contain exceptions, especially for pipe names containing PID, PPID or ThreadID, to exclude Chrome/PSHost/crashpad/cubeb false positives. These exceptions are properly parsed by `iocpipe.py` Falcon named pipe rules are: ```js let timeframe=1h; let CobaltStrikeDefaults= dynamic([@"msagent_", @"MSSE-", @"postex_", @"status_", @"mypipe-f", @"mypipe-h",@"ntsvcs_",@"scerpc_", @"mojo.5688.8052."]); let CobaltStrikeMallable= dynamic([@"win_svc", @"ntsvcs", @"scerpc", @"status_", @"SearchTextHarvester", @"DserNamePipe",@"wkssvc_",@"scerpc_", @"spoolss_",@"CatalogChangeListener",@"fullduplex_",@"demoagent_",@"PGMessagePipe",@"MsFteWds",@"postex_ssh_",@"windows.update.manager",@"\f4c3",@"\f53f",@"halfduplex_"]); DeviceEvents | where Timestamp >= ago(timeframe) | where ActionType == "NamedPipeEvent" | extend AdditionalFields=parse_json(AdditionalFields) | extend ThreadId=tostring(AdditionalFields.ThreadId) | extend PipeName=tostring(AdditionalFields.PipeName) // creating string based variants of the processIDs for matching several times later | extend InitiatingPID=tostring(InitiatingProcessId) | extend InitiatingParentPID=tostring(InitiatingProcessParentId) // Customer specific whitelist // End customer specific whitelist | where PipeName has_any (CobaltStrikeDefaults) or // mojo is generated by Chrome(ium) browsers and teams and have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex (PipeName matches regex @"\\mojo\.\d+\.\d+\." and not(PipeName matches regex @"\\mojo\.\d+\.\d+\.\d+quot; or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or // chrome(ium) browsers sync processes have distinct pattern including the (parent)ProcessId and ThreadId plus a random character string, CobaltStrike generates hex (PipeName matches regex @"\\(edge|chrome)\.sync\.\d+\.\d+\." and not(PipeName matches regex @"\\(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+quot; or PipeName has InitiatingPID or PipeName has InitiatingParentPID or PipeName has ThreadId)) or // PSHost is generated by PowerShell and has a distinct pattern including the (parent)ProcessId (PipeName matches regex @"\\PSHost\.\d+\." and not(PipeName matches regex @"\\PSHost\.\d+\.\d+\." or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or // crashpad pipes have a distinct pattern including the ProcessId and a string of upper case characters (PipeName matches regex @"\\crashpad_" and not(PipeName matches regex @"\\crashpad_\d+_[A-Z]+" or PipeName has InitiatingPID or PipeName has InitiatingParentPID)) or // firefox pipes have a distinct pattern including the ProcessId and 1-3 digits which are sequential for each new pipe (PipeName matches regex @"\\cubeb-pipe-" and not(PipeName matches regex @"\\cubeb-pipe-\d+_[0-9]{1-3}+" or PipeName has InitiatingPID)) or // based on a list of public mallable profiles and a suffix that is a random HEX string (PipeName has_any (CobaltStrikeMallable) and PipeName matches regex @"[a-fA-F0-9]{2,10}quot;) or (PipeName matches regex @"\\pipe\\[0-9a-f]{7,10}" or PipeName matches regex @"\\pipe\\[0-9a-f]{8}") ```