Suspicious named pipe created
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a suspicious remote named pipe is observed, which could indicate lateral movement or remote execution attempts by malicious actors.
Strategy
Monitoring of Windows event logs where @evt.id
is 5145
and grouping by @Event.System.Computer
, where A network share object was checked to see whether client can be granted desired access. The value that was observed was unusual, which made it suspicious.
Triage & Response
Verify if the exection of the suspicious pipe on {{@@Event.System.Computer}}
is expected. If the execution was not intended isolate the system.