Hunting Named Pipes with Sysmon

Named Pipes
Named pipes
pipe creation and connection events 
Named pipes
named pipes in use over RPC
Named pipes
number of occurrences across the various computers
Named pipes
DLL’s in the CallTrace field
  • The user associated with the process was SURGE\shannon.
  • The process made RPC calls to the domain controller (10.0.1.14) on port 135, which could be indicative of lateral movement using PSExec.
  • The process communicated with an external IP address (46.101.182.152) on port 443, suggesting potential command and control communication.
  • Pipes with names MrPipes-3587-server and \Surgesock2\mrpipespostex-e3e-0 were identified, potentially facilitating communication between processes.
Named pipes
wide search on that process name

Try Hack Me’s 1 Month Voucher Giveaway Link : https://forms.gle/xpqS2jgspyC22K5d8