Monitor for named pipe execution (osquery)

Description: In October 2020 Ryuk compromised a company in 5 hours. One of the techniques of the attack was to perform a named pipe escalation. The query below interrogates the Windows Event log for an execution of cmd.exe with a command line of “\\.\pipe”. This is another one leveraging the parsing of the event log.

If you need to get the auditing setup on Windows, I found this process to be very easy. https://schneegans.de/windows/process-audit/

Hopefully you can leverage this in your environment as well.

Named pipe escalation

SQL:

SELECT * FROM (
  SELECT
  datetime,
  datetime(julianday(datetime), "localtime") AS datetime_local,
  'T1071' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1071' as mitre_attck_url,
  'ryuk, named_pipe, cmd' as tags,
  json_extract(data,'$.EventData.SubjectUserName') as SubjectUserName,
  json_extract(data,'$.EventData.SubjectDomainName') as SubjectDomainName,
  json_extract(data,'$.EventData.SubjectLogonId') as SubjectLogonId,
  json_extract(data,'$.EventData.NewProcessId') as NewProcessId,
  json_extract(data,'$.EventData.NewProcessName') as NewProcessName,
  json_extract(data,'$.EventData.TokenElevationType') as TokenElevationType,
  json_extract(data,'$.EventData.ProcessId') as ProcessId,
  json_extract(data,'$.EventData.CommandLine') as CommandLine,
  json_extract(data,'$.EventData.TargetUserSid') as TargetUserSid,
  json_extract(data,'$.EventData.TargetUserName') as TargetUserName,
  json_extract(data,'$.EventData.TargetDomainName') as TargetDomainName,
  json_extract(data,'$.EventData.TargetLogonId') as TargetLogonId,
  json_extract(data,'$.EventData.ParentProcessName') as ParentProcessName,
  json_extract(data,'$.EventData.MandatoryLabel') as MandatoryLabel,
  CASE
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-0' THEN 'untrusted'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-4096' THEN 'low_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8192' THEN 'medium_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8448' THEN 'medium_high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-12288' THEN 'high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-16384' THEN 'system_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-20480' THEN 'protected_process'
  END MandatoryLabel_Meaning

  FROM (
    SELECT data, datetime FROM windows_eventlog WHERE channel = "Security" AND eventid = 4688 AND datetime > DATE('now', '-1 days')
  )
) WHERE NewProcessName LIKE '%cmd.exe' and CommandLine LIKE '%\\.\pipe%';

Operating Systems: Windows Only

References:

Ryuk in 5 Hours – The DFIR Report

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688