splApache-2.0from splunk/security_content
Trickbot Named Pipe
The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/trickbot_named_pipe.yml
`sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`