Query Details
CVE 2025 29824 Pipe Magic Detection
Query
// https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend PipeName = tostring(parse_json(AdditionalFields)["PipeName"])
| where isnotempty(PipeName)
| where PipeName matches regex
@"\\\\\.\\pipe\\1\.[0-9A-Fa-f]{32}"
Explanation
This query is analyzing device event logs to identify specific named pipe events that could be suspicious. Here's a breakdown of what it does:
-
DeviceEvents: It starts by looking at a table or dataset called
DeviceEvents, which contains logs of various events occurring on devices. -
Filter by ActionType: It filters these events to only include those where the
ActionTypeis "NamedPipeEvent". This means it's specifically interested in events related to named pipes, which are a method for inter-process communication. -
Extract PipeName: It extracts the
PipeNamefrom a field calledAdditionalFieldsby converting it from JSON format to a string. This is done using theparse_jsonfunction and then converting it to a string withtostring. -
Check for Non-Empty PipeName: It ensures that the
PipeNameis not empty, meaning it only considers events where a named pipe was actually used. -
Regex Match: It uses a regular expression to find named pipes that match a specific pattern. The pattern is
\\.\pipe\1.[0-9A-Fa-f]{32}, which indicates a named pipe that starts with\\.\pipe\1.followed by a 32-character hexadecimal string. This pattern is often associated with certain types of malware or unauthorized activity.
In simple terms, this query is looking for specific named pipe events on devices that match a pattern commonly used in suspicious or malicious activities, such as those related to ransomware.
Details
Steven Lim
Released: April 11, 2025
Tables
Keywords
Operators