Detection rules › Sigma
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: selection
PipeName: ['\46a676ab7f179e511e30dd2dc41bd388', '\583da945-62af-10e8-4902-a8f205c72b2e', '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7', '\9f81f59bc58452127884ce513865ed20', '\AnonymousPipe', '\NamePipe_MoreWindows', '\Posh*', '\adschemerpc', '\ahexec', '\bc31a7', '\bc367', '\bizkaz', '\csexecsvc', '\dce_3d', '\e710f28d59aa529d6792ca6ff0ca1b34', '\gruntsvc', '\isapi_dg', '\isapi_dg2', '\isapi_http', '\jaccdpqnvbrrxlaf', '\lsassw', '\pcheap_reuse', '\rpchlp_3', '\sdlrpc', '\svcctl', '\testPipe', '\winsession']
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
PipeName | eq |
|