NtdllPipe Like Activity Execution

Hunt Hypothesis

Adversaries may use NtdllPipe techniques to exfiltrate or execute malicious code by leveraging ntdll.dll content, evading traditional AV/EDR detection mechanisms. SOC teams should pro

Detection Rule

Sigma (Original)

title: NtdllPipe Like Activity Execution
id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
status: test
description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
references:
    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: Florian Roth (Nextron Systems)
date: 2022-03-05
modified: 2023-03-07
tags:
    - attack.defense-impairment
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'type %windir%\system32\ntdll.dll'
            - 'type %systemroot%\system32\ntdll.dll'
            - 'type c:\windows\system32\ntdll.dll'
            - '\\ntdll.dll > \\\\.\\pipe\\'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or TargetProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or TargetProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or TargetProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\"

Required Data Sources

False Positive Guidance

• Unknown

References

• https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
• SigmaHQ Rule