Detection rules › Sigma
First Time Seen Remote Named Pipe
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5145 | A network share object was checked to see whether client can be granted desired access. |
Stages and Predicates
Stage 1: selection1
ShareName: '\\\\\*\\IPC$'
Stage 2: not false_positives
RelativeTargetName: [HydraLsPipe, LSM_API_service, MsFteWds, TermSrv_API_service, atsvc, browser, eventlog, lsarpc, lsass, netdfs, netlogon, ntsvcs, protected_storage, samr, spoolss, 'sql\query', srvsvc, svcctl, winreg, wkssvc]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
RelativeTargetName | eq |
|
ShareName | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Remote Task Creation via ATSVC Named Pipe (adds 2 filters)
- Remote Service Activity via SVCCTL Named Pipe (adds 2 filters)
- DCERPC SMB Spoolss Named Pipe (adds 1 filter)
- Impacket PsExec Execution (adds 1 filter)
- Suspicious PsExec Execution (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Transferring Files with Credential Data via Network Shares (drops 1 filter this rule applies)