Detection rules › Kusto Query Language
Solorigate Named Pipe
'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
| Security-Auditing | 5145 | A network share object was checked to see whether client can be granted desired access. |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 3 branches