Skip to content

Commit 7a8678f

Browse files
tccontretccontre
committed
headless_bee
1 parent d7b400d commit 7a8678f

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

detections/endpoint/windows_anonymous_pipe_activity.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,8 @@ status: production
77
type: Anomaly
88
description: The following analytic detects the creation or connection of anonymous pipes for inter-process communication (IPC) within a Windows environment. Anonymous pipes are commonly used by legitimate system processes, services, and applications to transfer data between related processes. However, adversaries frequently abuse anonymous pipes to facilitate stealthy process injection, command-and-control (C2) communication, credential theft, or privilege escalation. This detection monitors for unusual anonymous pipe activity, particularly involving non-system processes, unsigned executables, or unexpected parent-child process relationships. While legitimate use cases exist—such as Windows services, software installers, or security tools—unusual or high-frequency anonymous pipe activity should be investigated for potential malware, persistence mechanisms, or lateral movement techniques.
99
data_source:
10-
- __UPDATE__ zero or more data_sources
10+
- Sysmon EventID 17
11+
- Sysmon EventID 18
1112
search: '`sysmon` EventCode IN (17,18) PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*"))
1213
| stats min(_time) as firstTime max(_time) as lastTime count by dest user EventCode PipeName signature Image process_id process_guid EventType
1314
| rename Image as process_name

0 commit comments

Comments
 (0)