Adversaries may use ProjectSauron generic pipe backdoors to establish persistent, stealthy communication channels within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence mechanisms that evade traditional detection methods.
YARA Rule
rule apt_ProjectSauron_generic_pipe_backdoor
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron generic pipe backdoors"
version = "1.0"
reference = "https://securelist.com/blog/"
strings:
$a = { C7 [2-3] 32 32 32 32 E8 }
$b = { 42 12 67 6B }
$c = { 25 31 5F 73 }
$d = "rand"
$e = "WS2_32"
condition:
uint16(0) == 0x5A4D and (all of them) and filesize < 400000
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate scheduled job using schtasks.exe to execute a script via a named pipe
Filter/Exclusion: process.parent_process == "schtasks.exe" && process.command_line contains "schtasks" && process.command_line contains "/create"
Scenario: System administrator using net command to manage named pipes during routine maintenance
Filter/Exclusion: process.parent_process == "cmd.exe" && process.command_line contains "net" && process.command_line contains "pipe"
Scenario: Database administrator using sqlcmd to interact with a named pipe for database connectivity
Filter/Exclusion: process.parent_process == "sqlcmd.exe" && process.command_line contains "sqlcmd" && process.command_line contains "-S"
Scenario: IT support using PsExec to remotely execute a script that communicates via a named pipe
Filter/Exclusion: process.parent_process == "PsExec.exe" && process.command_line contains "psexec" && process.command_line contains "\\server"
Scenario: Development team using NamedPipeClientStream in a .NET application for inter-process communication
Filter/Exclusion: process.parent_process == "dotnet.exe" && process.command_line contains "dotnet" && process.command_line contains "NamedPipeClientStream"