KQL Search

Query Details

HomeAI ToolsDevice Query

Malicious Named Pipes

Query

Tags:

Query://This need a bit of fixing
let badPipeNames = pack_array('psexesvc','paexec','remcom');
DeviceEvents
| where ActionType == "NamedPipeEvent" 
| extend ParsedFields=parse_json(AdditionalFields)
//| where ParsedFields.FileOperation == "File created"
//tolower(tostring(split(FileName,'\\')[-1]))
|  extend foo = tolower(tostring(split(ParsedFields.PipeName,'\\')[-1]))
| project foo, ParsedFields.PipeName
| where foo in(badPipeNames)

Explanation

This query is designed to identify specific named pipes that are potentially malicious. Here's a simplified summary:

  1. Define a List of Bad Pipe Names: It starts by creating a list of known bad pipe names (psexesvc, paexec, remcom).
  2. Filter for Named Pipe Events: It looks at device events where the action type is "NamedPipeEvent".
  3. Parse Additional Fields: It extracts additional information from these events.
  4. Extract Pipe Name: It processes the pipe name to get the last part of the path and converts it to lowercase.
  5. Filter for Bad Pipe Names: It then checks if the extracted pipe name is in the list of bad pipe names.
  6. Project Relevant Information: Finally, it displays the extracted pipe name and the full pipe name for further analysis.

In essence, the query is filtering and identifying events related to specific named pipes that are known to be used by malicious software.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 11, 2023

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

letpack_arraywhereextendparse_jsontolowertostringsplitprojectin

Actions