Detection rules › Splunk
Windows PUA Named Pipe
The following analytic detects the creation or connection to named pipes used by potentially unwanted applications (PUAs) like VPNs or utilities like PsExec. It leverages Sysmon EventCodes 17 and 18. If confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1559 Inter-Process Communication |
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: search
search (EventCode=17 OR EventCode=18) NOT process_path IN ("*:\\Program Files \(x86\)\\Adobe*", "*:\\Program Files \(x86\)\\Google*", "*:\\Program Files \(x86\)\\Microsoft*", "*:\\Program Files\\Adobe*", "*:\\Program Files\\Google*", "*:\\Program Files\\Microsoft*", "*:\\Program Files\\dotnet\\dotnet.exe", "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SystemApps\\Microsoft*", "*:\\Windows\\system32\\SearchIndexer.exe", "*\\Amazon\\SSM\\Instance*", "*\\AppData\\Local\\Google*", "*\\AppData\\Local\\Kingsoft\\*", "*\\AppData\\Local\\Microsoft*", "System")
Stage 2: stats
stats BY dest, dvc, process_exec, process_guid, process_id, process_path, signature, signature_id, vendor_product, pipe_name, user_id, Image, process_name
Stage 3: lookup
lookup <lookup> description, pipe_name, pua_pipe_name, tool
Stage 4: where
where isnotnull(tool)
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | process_name | in | "*:\\Program Files \(x86\)\\Adobe*", "*:\\Program Files \(x86\)\\Google*", "*:\\Program Files \(x86\)\\Microsoft*", "*:\\Program Files\\Adobe*", "*:\\Program Files\\Google*", "*:\\Program Files\\Microsoft*", "*:\\Program Files\\dotnet\\dotnet.exe", "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SystemApps\\Microsoft*", "*:\\Windows\\system32\\SearchIndexer.exe", "*\\Amazon\\SSM\\Instance*", "*\\AppData\\Local\\Google*", "*\\AppData\\Local\\Kingsoft\\*", "*\\AppData\\Local\\Microsoft*", "System" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.