Detection rules › Kusto Query Language
C2-NamedPipe
Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
| Defender-DeviceEvents | 9007006 | Named pipe event |
Stages and Predicates
Stage 1: source
DeviceEvents
Stage 2: where
ActionType eq "NamedPipeEvent"
Stage 3: extend
Stage 4: where
FileOperation eq "File created"
Stage 5: where
PipeName match "badPipeNames"
Stage 6: project
Stage 7: extend
Stage 8: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
FileOperation | eq |
|
PipeName | match |
|