← Library
sigmaDRL-1.1from SigmaHQ/sigma

NtdllPipe Like Activity Execution

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe

Quality
98
FP risk
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml
title: NtdllPipe Like Activity Execution
id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
status: test
description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
references:
    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: Florian Roth (Nextron Systems)
date: 2022-03-05
modified: 2023-03-07
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'type %windir%\system32\ntdll.dll'
            - 'type %systemroot%\system32\ntdll.dll'
            - 'type c:\windows\system32\ntdll.dll'
            - '\\ntdll.dll > \\\\.\\pipe\\'
    condition: selection
falsepositives:
    - Unknown
level: high