Windows App Layer Protocol Qakbot NamedPipe

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects a suspicious process creating or connecting to a potential Qakbot named pipe. It leverages Sysmon EventCodes 17 and 18, focusing on specific processes known to be abused by Qakbot and identifying randomly generated named pipes in GUID form. This activity is significant as Qakbot malware uses named pipes for inter-process communication after code injection, facilitating data theft. If confirmed malicious, this behavior could indicate a Qakbot infection, leading to unauthorized data access and potential exfiltration from the compromised host.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071` Application Layer Protocol

Event coverage

Provider	Event ID	Title
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: `search`

search EventCode IN (17, 18) EventType IN ("ConnectPipe", "CreatePipe") Image IN ("*\\OneDriveSetup.exe", "*\\calc.exe", "*\\dxdiag.exe", "*\\explorer.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\notepad.exe", "*\\ping.exe", "*\\rdpclip.exe", "*\\wermgr.exe", "*\\xwizard.exe")

Stage 2: `regex`

regex match(PipeName, "^\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}")

Stage 3: `stats`

stats BY dest, dvc, pipe_name, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Image, PipeName

Stage 4: `search`

search

Stage 5: `search`

search

Stage 6: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`17` corpus 6 (splunk 6) `18` corpus 6 (splunk 6)
`EventType`	in	`"ConnectPipe"` corpus 4 (splunk 4) `"CreatePipe"` corpus 4 (splunk 4)
`Image`	in	`"\\OneDriveSetup.exe"` `"\\calc.exe"` `"\\dxdiag.exe"` `"\\explorer.exe"` `"\\mobsync.exe"` `"\\msra.exe"` `"\\notepad.exe"` `"\\ping.exe"` `"\\rdpclip.exe"` `"\\wermgr.exe"` `"*\\xwizard.exe"`
`PipeName`	regex_match	`"^\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Trickbot Named Pipe [splunk]
Windows Anonymous Pipe Activity [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows Application Layer Protocol RMS Radmin Tool Namedpipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Trickbot Named Pipe [splunk]
Windows Anonymous Pipe Activity [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows Application Layer Protocol RMS Radmin Tool Namedpipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]