Query Details
Named Pipe Detection
Query
name: Execution, Indicators of usage of winexe for lateral movement
description: Detects usage of winexe through named pipe creation
references: https://attack.mitre.org/software/S0191/,https://community.netwitness.com/t5/netwitness-community-blog/detecting-lateral-movement-in-rsa-netwitness-winexe/ba-p/520480
tags: Execution, S0191
search_query:
(DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any ("ahexec", "wmcex")
Notes:
Explanation
This query is designed to detect the use of the tool "winexe" for lateral movement within a network by monitoring named pipe creation events. Here's a simplified breakdown:
- Data Source: It looks at
DeviceEvents. - Event Type: Filters for events where the action type is
NamedPipeEvent. - Parsing Additional Fields: It extracts additional details from the
AdditionalFieldsfield. - File Operation: Further filters for events where a file was created.
- Pipe Names: Specifically looks for named pipes with names containing "ahexec" or "wmcex".
In essence, this query identifies potential malicious activity by checking for the creation of specific named pipes associated with the use of "winexe" for lateral movement.
Details
Ali Hussein
Released: January 24, 2024
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
==|extendparse_jsonhas_any