Malicious Named Pipes
Query
Tags:
Query://This need a bit of fixing
let badPipeNames = pack_array('psexesvc','paexec','remcom');
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
//| where ParsedFields.FileOperation == "File created"
//tolower(tostring(split(FileName,'\\')[-1]))
| extend foo = tolower(tostring(split(ParsedFields.PipeName,'\\')[-1]))
| project foo, ParsedFields.PipeName
| where foo in(badPipeNames)Explanation
This query is designed to identify specific named pipes that are potentially malicious. Here's a simplified summary:
- Define a List of Bad Pipe Names: It starts by creating a list of known bad pipe names (
psexesvc,paexec,remcom). - Filter for Named Pipe Events: It looks at device events where the action type is "NamedPipeEvent".
- Parse Additional Fields: It extracts additional information from these events.
- Extract Pipe Name: It processes the pipe name to get the last part of the path and converts it to lowercase.
- Filter for Bad Pipe Names: It then checks if the extracted pipe name is in the list of bad pipe names.
- Project Relevant Information: Finally, it displays the extracted pipe name and the full pipe name for further analysis.
In essence, the query is filtering and identifying events related to specific named pipes that are known to be used by malicious software.
Details

Ali Hussein
Released: October 11, 2023
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
letpack_arraywhereextendparse_jsontolowertostringsplitprojectin