Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!
github.com/g-les/100Dayso…
github.com/g-les/100Dayso…
However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!
@rpargman has some advice for using KQL to find some specific pipe names
@rpargman has some advice for using KQL to find some specific pipe names
https://twitter.com/rpargman/status/1358862482001911811
and Splunk has some great blogs on monitoring them across the environment:
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
@d4rksystem also notes you can used SysInternals tooling to find em:
https://twitter.com/d4rksystem/status/1357396172067995648
You may find a lot of PsExec (which may be unusual dependingon the env) in those pipes - if so, @matthewdunwoody has good advice on investigating / hunting the activity:
https://twitter.com/matthewdunwoody/status/1392626933381406726
If traffic and Wireshark are more your thing, use the SMB Command & SMB Filename fields as columns in wireshark, and listen to NETRESEC for finding more evil:
https://twitter.com/netresec/status/1393173263963000833
And more good hunting advice from F-Secure: labs.f-secure.com/blog/detecting…
and from @ForensicITGuy at RedCanary redcanary.com/blog/threat-hu…
and from @ForensicITGuy at RedCanary redcanary.com/blog/threat-hu…
and of course some detection ideas from our crew on CS named pipes on page 14 go.recordedfuture.com/hubfs/reports/…
if you have any good tips on this, please shout and correct me as needed :D Happy hunting!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
