Query Details
Behaviour Suspicious Named Pipes
Query
# Supisicous Named Piped Event
## Query Information
#### Description
Named Pipes can be used to detect the execution of malicious software in your environment. Some software uses a standardized approach for Named Pipes, because of that they can serveas indicator.
The query below uses the Named Pipe list from [mthcht](https://github.com/mthcht) and takes that as dynamic input to hunt for matches in the DeviceEvents table.
#### Risk
Malicious software is executed resulting in the creation of a NapePipe.
#### References
- https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_named_pipe_list.csv
- https://github.com/mthcht/awesome-lists
## Defender XDR
```KQL
let NamedPipes = externaldata(pipe_name: string, metadata_description: string, metadata_tool:string, metadata_category: string, metadata_link: string, metadata_priority:string, metadata_fp_risk: string, metadata_severity: string, metadata_tool_type: string, metadata_usage: string, metadata_comment: string, metadata_reference: string)[@"https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_named_pipe_list.csv"] with (format="csv", ignoreFirstRecord=True);
let StandardizedPipes = NamedPipes
| project pipe_name = replace_string(tolower(pipe_name), "*", "");
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "NamedPipeEvent"
| where split(tolower(AdditionalFields.PipeName), "\\")[-1] has_any(StandardizedPipes)
| extend PipeName = AdditionalFields.PipeName, PipeNameChild = split(tolower(AdditionalFields.PipeName), "\\")[-1], FileOperation = AdditionalFields.FileOperation
| project-reorder Timestamp, PipeName, FileOperation, DeviceName, AccountName
```
## Sentinel
```KQL
let NamedPipes = externaldata(pipe_name: string, metadata_description: string, metadata_tool:string, metadata_category: string, metadata_link: string, metadata_priority:string, metadata_fp_risk: string, metadata_severity: string, metadata_tool_type: string, metadata_usage: string, metadata_comment: string, metadata_reference: string)[@"https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_named_pipe_list.csv"] with (format="csv", ignoreFirstRecord=True);
let StandardizedPipes = NamedPipes
| project pipe_name = replace_string(tolower(pipe_name), "*", "");
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == "NamedPipeEvent"
| where split(tolower(AdditionalFields.PipeName), "\\")[-1] has_any(StandardizedPipes)
| extend PipeName = AdditionalFields.PipeName, PipeNameChild = split(tolower(AdditionalFields.PipeName), "\\")[-1], FileOperation = AdditionalFields.FileOperation
| project-reorder TimeGenerated, PipeName, FileOperation, DeviceName, AccountName
```Explanation
This query is designed to detect potentially malicious software activity by monitoring named pipe events in your environment. Named pipes are a method for inter-process communication, and certain named pipes can indicate suspicious activity. Here's a simplified breakdown of what the query does:
-
Data Source: It uses a list of known suspicious named pipes from an external CSV file hosted on GitHub. This list is imported into the query for comparison.
-
Data Preparation: The imported named pipe names are standardized by converting them to lowercase and removing any wildcard characters (
*). -
Event Filtering: The query searches the
DeviceEventstable for events that occurred in the last 30 days (TimestamporTimeGenerated> 30 days ago) and are of typeNamedPipeEvent. -
Matching: It checks if the named pipe used in these events matches any of the standardized suspicious named pipe names.
-
Output: For each matching event, it extracts and displays relevant details such as the timestamp, full pipe name, file operation, device name, and account name.
This query helps identify potentially malicious activity by flagging events where suspicious named pipes are used, allowing for further investigation.
Details
Bert-Jan Pals
Released: December 9, 2024
Tables
Keywords
Operators