Suspicious named pipe created

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when a suspicious remote named pipe is observed, which could indicate lateral movement or remote execution attempts by malicious actors.

Strategy

Monitoring of Windows event logs where @evt.id is 5145 and grouping by @Event.System.Computer, where A network share object was checked to see whether client can be granted desired access. The value that was observed was unusual, which made it suspicious.

Triage & Response

Verify if the exection of the suspicious pipe on {{@@Event.System.Computer}} is expected. If the execution was not intended isolate the system.

PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data