Query Details

Execution, Indicators of usage of winexe for lateral movement

Named Pipe Detection

Query

(DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.FileOperation == "File created"
| where ParsedFields.PipeName has_any ("ahexec", "wmcex")

Explanation

This query is designed to detect the use of the tool "winexe" for lateral movement within a network by monitoring named pipe creation events. Here's a simplified breakdown:

  1. Data Source: It looks at DeviceEvents.
  2. Event Type: Filters for events where the action type is NamedPipeEvent.
  3. Parsing Additional Fields: It extracts additional details from the AdditionalFields field.
  4. File Operation: Further filters for events where a file was created.
  5. Pipe Names: Specifically looks for named pipes with names containing "ahexec" or "wmcex".

In essence, this query identifies potential malicious activity by checking for the creation of specific named pipes associated with the use of "winexe" for lateral movement.

Details

Ali Hussein profile picture

Ali Hussein

Released: January 24, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

==|extendparse_jsonhas_any

Actions

GitHub