The C2-NamedPipe rule detects the potential use of named pipes by adversaries to establish covert command and control channels, which is a common technique in APT malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity that may evade traditional detection methods.
KQL Query
// maximum lookback time
let minTimeRange = ago(7d);
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // ruag apt case
'\\iehelper', // ruag apt case
'\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
'\\lsadump', // Cred Dump-Tools Named Pipes
'\\cachedump', // Cred Dump-Tools Named Pipes
'\\wceservicepipe', // Cred Dump-Tools Named Pipes
'\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe
'\\svcctl', // CrackMapExec default named pipe
'\\csexecsvc' // CSEXEC default named pipe
'\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253
'\\MSSE-', // CobaltStrike default named pipe
'\\status_', // CobaltStrike default named pipe
'\\msagent_', // (target) CobaltStrike default named pipe
'\\postex_ssh_', // CobaltStrike default named pipe
'\\postex_', // CobaltStrike default named pipe
'\\Posh' // PoshC2 default named pipe
);
DeviceEvents
| where ActionType == "NamedPipeEvent" and Timestamp > minTimeRange
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any (badPipeNames)
| project Timestamp, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName
id: ec3f7141-383e-4f32-b698-ba2ee1852c9c
name: C2-NamedPipe
description: |
Detects the creation of a named pipe used by known APT malware.
Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Command and control
query: |
// maximum lookback time
let minTimeRange = ago(7d);
// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)
let badPipeNames = pack_array(
'\\psexec', // PSexec default pipe
'\\paexec', // PSexec default pipe
'\\remcom', // PSexec default pipe
'\\csexec', // PSexec default pipe
'\\isapi_http', // Uroburos Malware Named Pipe
'\\isapi_dg', // Uroburos Malware Named Pipe
'\\isapi_dg2', // Uroburos Malware Named Pipe
'\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX
'\\ahexec', // Sofacy group malware
'\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ
'\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A
'\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A
'\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A
'\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
'\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
'\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
'\\gruntsvc', // Covenant default named pipe
'\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
'\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
'\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
'\\userpipe', // | Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator creates a named pipe for inter-process communication (IPC) between services.
Filter/Exclusion: ProcessName == "svchost.exe" || ProcessName == "explorer.exe" || ProcessName == "sqlservr.exe"
Scenario: A legitimate scheduled job uses a named pipe to communicate with a database or application server.
Filter/Exclusion: ProcessName == "sqlagent.exe" || ProcessName == "sqlservr.exe" || ProcessName == "mysql.exe"
Scenario: A developer uses a named pipe for debugging or testing purposes with a local tool like namedpipe-test.exe.
Filter/Exclusion: ProcessName == "namedpipe-test.exe" || ProcessName == "VisualStudio.exe"
Scenario: A system update or patching tool creates a named pipe to coordinate with a remote management service.
Filter/Exclusion: ProcessName == "WindowsUpdate.exe" || ProcessName == "msiexec.exe" || ProcessName == "setup.exe"
Scenario: A legitimate application (e.g., Redis) uses a named pipe for internal communication between nodes.
Filter/Exclusion: ProcessName == "redis-server.exe" || ProcessName == "redis-cli.exe"