Hunting & Detecting SMB Named Pipe Pivoting (Lateral Movement)

property
value
tags
offensive-tradecraft,payload-obfuscation
url
original_word_count
2257

Article Excerpt

With SMB traffic being ubiquitous in enterprise networks, adversaries and Offensive Security Tools can abuse pivoting over SMB named pipes to achieve lateral movement and for pivoting C2 traffic.

Long Summary

This article provides an overview of how adversaries and offensive security tools can abuse SMB Named Pipes for lateral movement and Command and Control (C2) traffic. Named pipes are primarily used for local processes to communicate with each other, but can also facilitate communication between two processes on separate hosts, over Microsoft SMB Protocol. The article explains why pivoting is advantageous for attackers, and provides a visual representation of how pivoting works. It then explains the concept of named pipes, and how they can be abused for privilege escalation.

A demonstration of pivoting via named pipes using Bishop Fox's Sliver C2 framework is provided. The article then explains how hunting and detection of anomalous named pipe creation events can be conducted using Sysmon logs. It explains how outliers can be identified by sorting their occurrences in ascending order, and how to filter for anomalous processes creating pipes that are not signed. Detection can be conducted by cross correlating Net Conn and Pipe Connected events. It explains how a pipe connection event and SMB network connection event will occur in conjunction with each other, and how to use Splunk's bucket command to group events by a time span of 1 minute. This allows us to zero in on named pipes that could be communicating remotely.

Network Traffic Analyzers like Zeek can provide visibility into SMB traffic, allowing analysts to detect anomalous named pipes. Live system analysis can also be used to detect named pipes, such as the net file and PsFile Sysinternals tools. These tools can be used to enumerate named pipes on a pivot host, and any open named pipes interacting with remote hosts should be a trigger for further investigation. OpSec considerations are also discussed, such as how attackers can bypass detections by setting custom named pipe values or by injecting into a legitimate process before creating the named pipe.

In conclusion, this article provides a comprehensive overview of how SMB Named Pipes can be used for malicious purposes and how to detect and investigate them. By understanding the use of SMB Named Pipes, analysts can better detect and investigate malicious activity.

Short Summary

šŸ““ Hunting & Detecting SMB Named Pipe Pivoting (Lateral Movement)

šŸ‘‰šŸ½ With SMB traffic being ubiquitous in enterprise networks, adversaries and Offensive Security Tools can abuse pivoting over SMB named pipes to achieve lateral movement and for pivoting C2 traffic. šŸ‘‰šŸ½ SMB Named Pipes for lateral movement and C2 traffic. šŸ‘‰šŸ½ Explanation of pivoting and named pipes. šŸ‘‰šŸ½ How named pipes can be abused for privilege escalation. šŸ‘‰šŸ½ Demonstration of pivoting using Sliver C2 framework. šŸ‘‰šŸ½ Detecting anomalous named pipe creation events, using Sysmon logs. šŸ‘‰šŸ½ Identifying outliers and filtering for anomalous processes creating pipes. šŸ‘‰šŸ½ Cross correlating Net Conn and Pipe Connected events for detection. šŸ‘‰šŸ½ Using Splunk's bucket command for grouping events. šŸ‘‰šŸ½ Network Traffic Analyzers such as Zeek for detection. šŸ‘‰šŸ½ OpSec considerations and how to bypass detections.

#SMBNamedPipesAbuse #Pivoting #Detection #NetworkTrafficAnalyzers #OpSecConsiderations