heroui logo

HackTool - EfsPotato Named Pipe Creation

Sigma Rules

View Source
Summary
This detection rule identifies the creation of named pipes that align with the usage patterns of the hack tool EfsPotato. The rule uses Sysmon event logging, specifically monitoring for specific characteristics of named pipes. It triggers when a named pipe contains the terms '\pipe\' or '\pipe\srvsvc', but excludes cases where the pipe name contains '\CtxShare' or starts with '\pipe\' as part of its filtering mechanism. False positives may occur with local applications, such as '\pipe\LOCAL\Monitorian', making additional operational context important for accurate detection. Configuration of Sysmon to monitor Named Pipe Events (Event ID 17 and 18) is essential to utilize this rule effectively. As this tool is associated with privilege escalation attacks, primarily in Windows environments, monitoring such events can help in early detection of potential attacks. We recommend configuring logging as outlined in popular Sysmon configuration repositories to ensure effective monitoring.
Categories
  • Windows
  • Network
  • Endpoint
Data Sources
  • Named Pipe
  • Process
Created: 2021-08-23