sigmahighHunting

Privilege Escalation via Named Pipe Impersonation

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

MITRE ATT&CK

T1021

lateral-movement

Detection Query

selection_name:
  - Image|endswith:
      - \cmd.exe
      - \powershell.exe
  - OriginalFileName:
      - Cmd.Exe
      - PowerShell.EXE
selection_args:
  CommandLine|contains|all:
    - echo
    - ">"
    - \\\\.\\pipe\\
condition: all of selection*

Author

Tim Rauch, Elastic (idea)

Created

2022-09-27

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html

Tags

attack.lateral-movementattack.t1021

Raw Content

title: Privilege Escalation via Named Pipe Impersonation
id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
related:
    - id: f35c5d71-b489-4e22-a115-f003df287317
      type: derived
status: test
description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
references:
    - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2022-12-30
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
    selection_args:
        CommandLine|contains|all:
            - 'echo'
            - '>'
            - '\\\\.\\pipe\\'
    condition: all of selection*
falsepositives:
    - Other programs that cause these patterns (please report)
level: high