FalconFriday — Suspicious named pipe events — 0xFF1B

Post-Image

FalconFriday — Suspicious named pipe events — 0xFF1B

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry.

TL;DR for red teams: Named pipes are and will remain a great way to move laterally. Proper operational security will decide whether you’ll be easily detected or not. Spend time on understanding your Malleable Profiles and start properly masquerading with custom code.

Some time ago I was excited to see that the Microsoft Defender for Endpoint (MDE) team added visibility into the NamedPipe events. Upon introduction, this new event type was not being generated everywhere yet, since somewhere Q3/Q4 of 2021 it should have become available in all tenants and queryable to you.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday