zimnyaa · February 17, 2022 11:10
diff --git a/iocpipe.py b/iocpipe.py
 import re, sys

 def rule_startswith(ioc_string):
 	def __match(pipename):
 		if pipename.startswith(ioc_string):
 			print("\tMATCH startswith({})".format(ioc_string))
 			return True
 		return False
 	return __match

 def rule_re(ioc_string):
 	def __match(pipename):
 		ioc_re = re.compile(ioc_string)
 		if ioc_re.match(pipename) is not None:
 			print("\tMATCH re({})".format(ioc_string))
 			return True
 		return False
 	return __match

 def rule_exception(ioc_string, exception):
 	def __match(pipename):
 		ioc_re = re.compile(ioc_string)
 		exception_re = re.compile(exception)

 		if ioc_re.match(pipename) is not None:
 			if exception_re.match(pipename) is not None:
 				print("EXCEPTION (will not match) exception_re({})".format(ioc_string))
 			else:
 				print("\tMATCH re({})".format(ioc_string))
 				print("\t\t try using an exception:", exception)
 				return True
 		return False
 	return __match


 def rule_contains(ioc_string):
 	def __match(pipename):
 		if ioc_string in pipename:
 			print("\tMATCH contains({})".format(ioc_string))
 			return True
 		return False
 	return __match


 sigma_rules = [
 	rule_startswith('psexec'), 
 	rule_startswith('paexec'),
 	rule_startswith('remcom'),
 	rule_startswith('csexec'),
 	rule_startswith('postex_'),
 	rule_startswith('postex_ssh_'),
 	rule_startswith('status_'),
 	rule_startswith('msagent_'),
 	rule_startswith('isapi_http'),  
 	rule_startswith('isapi_dg'),   
 	rule_startswith('isapi_dg2'),  
 	rule_startswith('sdlrpc'),  
 	rule_startswith('ahexec'), 
 	rule_startswith('winsession'),  
 	rule_startswith('lsassw'),  
 	rule_startswith('46a676ab7f179e511e30dd2dc41bd388'),  
 	rule_startswith('9f81f59bc58452127884ce513865ed20'), 
 	rule_startswith('e710f28d59aa529d6792ca6ff0ca1b34'),  
 	rule_startswith('rpchlp_3'),  
 	rule_startswith('NamePipe_MoreWindows'),  
 	rule_startswith('pcheap_reuse'),
 	rule_startswith('gruntsvc'), 
 	rule_startswith('583da945-62af-10e8-4902-a8f205c72b2e'),
 	rule_startswith('bizkaz'),  
 	rule_startswith('svcctl'), 
 	rule_startswith('Posh'), 
 	rule_startswith('jaccdpqnvbrrxlaf'), 
 	rule_startswith('csexecsvc'), 
 	rule_startswith('6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'),
 	rule_startswith('adschemerpc'),  
 	rule_startswith('AnonymousPipe'),  
 	rule_startswith('bc367'),  
 	rule_startswith('bc31a7'),  
 	rule_startswith('testPipe'), 
 	rule_startswith('mojo.5688.8052.183894939787088877'),
 	rule_startswith('mojo.5688.8052.35780273329370473'),
 	rule_startswith('mypipe-f'),
 	rule_startswith('mypipe-h'),
 	rule_startswith('ntsvcs'),
 	rule_startswith('scerpc'),
 	rule_startswith('win_svc'),
 	rule_startswith('spoolss'),
 	rule_startswith('msrpc_'),
 	rule_startswith('win\\msrpc_'),
 	rule_startswith('wkssvc'),
 	rule_startswith('f53f'),
 	rule_startswith('windows.)update.manager'),
 	rule_startswith('SearchTextHarvester'),
 	rule_startswith('DserNamePipe'),
 	rule_startswith('PGMessagePipe'),
 	rule_startswith('MsFteWds'),
 	rule_startswith('f4c3'),
 	rule_startswith('fullduplex_'),
 	rule_startswith('rpc_'),
 	rule_startswith('demoagent_11'),
 	rule_startswith('demoagent_22'),
 	rule_startswith('Winsock2\\CatalogChangeListener-'), 
 	rule_re('MSSE-.*-server'), 
 	rule_re('mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'),
 	rule_re('wkssvc_?[0-9a-f]{2}'),
 	rule_re('ntsvcs[0-9a-f]{2}'),
 	rule_re('DserNamePipe[0-9a-f]{2}'),
 	rule_re('SearchTextHarvester[0-9a-f]{2}'),
 	rule_re('mypipe\-(?:f|h)[0-9a-f]{2}'),
 	rule_re('windows\.update\.manager[0-9a-f]{2,3}'),
 	rule_re('ntsvcs_[0-9a-f]{2}'),
 	rule_re('scerpc_?[0-9a-f]{2}'),
 	rule_re('PGMessagePipe[0-9a-f]{2}'),
 	rule_re('MsFteWds[0-9a-f]{2}'),
 	rule_re('f4c3[0-9a-f]{2}'),
 	rule_re('fullduplex_[0-9a-f]{2}'),
 	rule_re('msrpc_[0-9a-f]{4}'),
 	rule_re('win\\\\msrpc_[0-9a-f]{2}'),
 	rule_re('f53f[0-9a-f]{2}'),
 	rule_re('rpc_[0-9a-f]{2}'),
 	rule_re('spoolss_[0-9a-f]{2}'),
 	rule_re('Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')
 ]

 microsoft_rules = [
    rule_startswith('psexec'),                                     # PSexec default pipe
    rule_startswith('paexec'),                                     # PSexec default pipe
    rule_startswith('remcom'),                                     # PSexec default pipe
    rule_startswith('csexec'),                                     # PSexec default pipe
    rule_startswith('isapi_http'),                                 # Uroburos Malware Named Pipe
    rule_startswith('isapi_dg'),                                   # Uroburos Malware Named Pipe
    rule_startswith('isapi_dg2'),                                  # Uroburos Malware Named Pipe
    rule_startswith('sdlrpc'),                                     # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
    rule_startswith('ahexec'),                                     # Sofacy group malware
    rule_startswith('winsession'),                                 # Wild Neutron APT malware https://goo.gl/pivRZJ
    rule_startswith('lsassw'),                                     # Wild Neutron APT malware https://goo.gl/pivRZJ
    rule_startswith('46a676ab7f179e511e30dd2dc41bd388'),           # Project Sauron https://goo.gl/eFoP4A
    rule_startswith('9f81f59bc58452127884ce513865ed20'),           # Project Sauron https://goo.gl/eFoP4A
    rule_startswith('e710f28d59aa529d6792ca6ff0ca1b34'),           # Project Sauron https://goo.gl/eFoP4A
    rule_startswith('rpchlp_3'),                                   # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
    rule_startswith('NamePipe_MoreWindows'),                       # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf), US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
    rule_startswith('pcheap_reuse'),                               # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
    rule_startswith('gruntsvc'),                                   # Covenant default named pipe
    rule_startswith('583da945-62af-10e8-4902-a8f205c72b2e'),       # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    rule_startswith('bizkaz'),                                     # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
    rule_startswith('atctl'),                                      # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
    rule_startswith('userpipe'),                                   # ruag apt case
    rule_startswith('iehelper'),                                   # ruag apt case
    rule_startswith('sdlrpc'),                                     # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
    rule_startswith('comnap'),                                     # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
    rule_startswith('lsadump'),                                    # Cred Dump-Tools Named Pipes
    rule_startswith('cachedump'),                                  # Cred Dump-Tools Named Pipes
    rule_startswith('wceservicepipe'),                             # Cred Dump-Tools Named Pipes
    rule_startswith('jaccdpqnvbrrxlaf'),                           # PoshC2 default named pipe
    rule_startswith('svcctl'),                                     # CrackMapExec default named pipe
    rule_startswith('csexecsvc'),                                   # CSEXEC default named pipe
    rule_startswith('status_'),                                    # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
    rule_startswith('MSSE-'),                                      # CobaltStrike default named pipe
    rule_startswith('msagent_'),                                   # (target) CobaltStrike default named pipe
    rule_startswith('postex_ssh_'),                                # CobaltStrike default named pipe
    rule_startswith('postex_'),                                    # CobaltStrike default named pipe
    rule_startswith('Posh')
 ]

 splunk_rules = [
 	rule_startswith('msagent_'),
 	rule_startswith('wkssvc'),
 	rule_startswith('DserNamePipe'),
 	rule_startswith('srvsvc_'),
 	rule_startswith('mojo.'),
 	rule_startswith('postex_'),
 	rule_startswith('status_'),
 	rule_startswith('MSSE-'),
 	rule_startswith('spoolss_'),
 	rule_startswith('win_svc'),
 	rule_startswith('ntsvcs'),
 	rule_startswith('winsock'),
 	rule_startswith('UIA_PIPE')
 ]

 falcon_rules = [
 	rule_contains("msagent_"), 
 	rule_contains("MSSE-"), 
 	rule_contains("postex_"), 
 	rule_contains("status_"), 
 	rule_contains("mypipe-f"), 
 	rule_contains("mypipe-h"),
 	rule_contains("mojo.5688.8052."), 
 	rule_contains("win_svc"), 
 	rule_contains("ntsvcs"), 
 	rule_contains("scerpc"),  
 	rule_contains("SearchTextHarvester"), 
 	rule_contains("DserNamePipe"),
 	rule_contains("wkssvc_"),
 	rule_contains("spoolss_"),
 	rule_contains("CatalogChangeListener"),
 	rule_contains("fullduplex_"),
 	rule_contains("demoagent_"),
 	rule_contains("PGMessagePipe"),
 	rule_contains("MsFteWds"),
 	rule_contains("postex_ssh_"),
 	rule_contains("windows.update.manager"),
 	rule_contains("f4c3"),
 	rule_contains("f53f"),
 	rule_contains("halfduplex_"),


 	rule_exception("mojo\.\d+\.\d+\.", "mojo\.\d+\.\d+\.\d+$"),
 	rule_exception("(edge|chrome)\.sync\.\d+\.\d+\.", "(edge|chrome|edge\.sync|chrome\.sync)\.\d+\.\d+\.\d+$"),
 	rule_exception("PSHost\.\d+\.", "PSHost\.\d+\.\d+\."),
 	rule_exception("crashpad_", "crashpad_\d+_[A-Z]+"),
 	rule_exception("cubeb-pipe-", "cubeb-pipe-\d+_[0-9]{1-3}+"),
 	rule_re("pipe\\[0-9a-f]{7,10}"),
 	rule_re("pipe\\[0-9a-f]{8}")
 ]

 pipename = sys.argv[1]
 print("pipepivot name IoC check (rules grabbed 17/02/2022)")
 print("Sigma rules:")
 for iocmatch in sigma_rules:
 	iocmatch(pipename)


 print("Azure Sentinel rules:")
 for iocmatch in microsoft_rules:
 	iocmatch(pipename)

 print("Splunk rules:")
 for iocmatch in splunk_rules:
 	iocmatch(pipename)

 print("Falcon Force rules:")
 for iocmatch in falcon_rules:
 	iocmatch(pipename)
	import re, sys

	def rule_startswith(ioc_string):
	def __match(pipename):
	if pipename.startswith(ioc_string):
	print("\tMATCH startswith({})".format(ioc_string))
	return True
	return False
	return __match

	def rule_re(ioc_string):
	def __match(pipename):
	ioc_re = re.compile(ioc_string)
	if ioc_re.match(pipename) is not None:
	print("\tMATCH re({})".format(ioc_string))
	return True
	return False
	return __match

	def rule_exception(ioc_string, exception):
	def __match(pipename):
	ioc_re = re.compile(ioc_string)
	exception_re = re.compile(exception)

	if ioc_re.match(pipename) is not None:
	if exception_re.match(pipename) is not None:
	print("EXCEPTION (will not match) exception_re({})".format(ioc_string))
	else:
	print("\tMATCH re({})".format(ioc_string))
	print("\t\t try using an exception:", exception)
	return True
	return False
	return __match


	def rule_contains(ioc_string):
	def __match(pipename):
	if ioc_string in pipename:
	print("\tMATCH contains({})".format(ioc_string))
	return True
	return False
	return __match


	sigma_rules = [
	rule_startswith('psexec'),
	rule_startswith('paexec'),
	rule_startswith('remcom'),
	rule_startswith('csexec'),
	rule_startswith('postex_'),
	rule_startswith('postex_ssh_'),
	rule_startswith('status_'),
	rule_startswith('msagent_'),
	rule_startswith('isapi_http'),
	rule_startswith('isapi_dg'),
	rule_startswith('isapi_dg2'),
	rule_startswith('sdlrpc'),
	rule_startswith('ahexec'),
	rule_startswith('winsession'),
	rule_startswith('lsassw'),
	rule_startswith('46a676ab7f179e511e30dd2dc41bd388'),
	rule_startswith('9f81f59bc58452127884ce513865ed20'),
	rule_startswith('e710f28d59aa529d6792ca6ff0ca1b34'),
	rule_startswith('rpchlp_3'),
	rule_startswith('NamePipe_MoreWindows'),
	rule_startswith('pcheap_reuse'),
	rule_startswith('gruntsvc'),
	rule_startswith('583da945-62af-10e8-4902-a8f205c72b2e'),
	rule_startswith('bizkaz'),
	rule_startswith('svcctl'),
	rule_startswith('Posh'),
	rule_startswith('jaccdpqnvbrrxlaf'),
	rule_startswith('csexecsvc'),
	rule_startswith('6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'),
	rule_startswith('adschemerpc'),
	rule_startswith('AnonymousPipe'),
	rule_startswith('bc367'),
	rule_startswith('bc31a7'),
	rule_startswith('testPipe'),
	rule_startswith('mojo.5688.8052.183894939787088877'),
	rule_startswith('mojo.5688.8052.35780273329370473'),
	rule_startswith('mypipe-f'),
	rule_startswith('mypipe-h'),
	rule_startswith('ntsvcs'),
	rule_startswith('scerpc'),
	rule_startswith('win_svc'),
	rule_startswith('spoolss'),
	rule_startswith('msrpc_'),
	rule_startswith('win\\msrpc_'),
	rule_startswith('wkssvc'),
	rule_startswith('f53f'),
	rule_startswith('windows.)update.manager'),
	rule_startswith('SearchTextHarvester'),
	rule_startswith('DserNamePipe'),
	rule_startswith('PGMessagePipe'),
	rule_startswith('MsFteWds'),
	rule_startswith('f4c3'),
	rule_startswith('fullduplex_'),
	rule_startswith('rpc_'),
	rule_startswith('demoagent_11'),
	rule_startswith('demoagent_22'),
	rule_startswith('Winsock2\\CatalogChangeListener-'),
	rule_re('MSSE-.*-server'),
	rule_re('mojo\.5688\.8052\.(?:183894939787088877\|35780273329370473)[0-9a-f]{2}'),
	rule_re('wkssvc_?[0-9a-f]{2}'),
	rule_re('ntsvcs[0-9a-f]{2}'),
	rule_re('DserNamePipe[0-9a-f]{2}'),
	rule_re('SearchTextHarvester[0-9a-f]{2}'),
	rule_re('mypipe\-(?:f\|h)[0-9a-f]{2}'),
	rule_re('windows\.update\.manager[0-9a-f]{2,3}'),
	rule_re('ntsvcs_[0-9a-f]{2}'),
	rule_re('scerpc_?[0-9a-f]{2}'),
	rule_re('PGMessagePipe[0-9a-f]{2}'),
	rule_re('MsFteWds[0-9a-f]{2}'),
	rule_re('f4c3[0-9a-f]{2}'),
	rule_re('fullduplex_[0-9a-f]{2}'),
	rule_re('msrpc_[0-9a-f]{4}'),
	rule_re('win\\\\msrpc_[0-9a-f]{2}'),
	rule_re('f53f[0-9a-f]{2}'),
	rule_re('rpc_[0-9a-f]{2}'),
	rule_re('spoolss_[0-9a-f]{2}'),
	rule_re('Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')
	]

	microsoft_rules = [
	rule_startswith('psexec'), # PSexec default pipe
	rule_startswith('paexec'), # PSexec default pipe
	rule_startswith('remcom'), # PSexec default pipe
	rule_startswith('csexec'), # PSexec default pipe
	rule_startswith('isapi_http'), # Uroburos Malware Named Pipe
	rule_startswith('isapi_dg'), # Uroburos Malware Named Pipe
	rule_startswith('isapi_dg2'), # Uroburos Malware Named Pipe
	rule_startswith('sdlrpc'), # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
	rule_startswith('ahexec'), # Sofacy group malware
	rule_startswith('winsession'), # Wild Neutron APT malware https://goo.gl/pivRZJ
	rule_startswith('lsassw'), # Wild Neutron APT malware https://goo.gl/pivRZJ
	rule_startswith('46a676ab7f179e511e30dd2dc41bd388'), # Project Sauron https://goo.gl/eFoP4A
	rule_startswith('9f81f59bc58452127884ce513865ed20'), # Project Sauron https://goo.gl/eFoP4A
	rule_startswith('e710f28d59aa529d6792ca6ff0ca1b34'), # Project Sauron https://goo.gl/eFoP4A
	rule_startswith('rpchlp_3'), # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
	rule_startswith('NamePipe_MoreWindows'), # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf), US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
	rule_startswith('pcheap_reuse'), # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
	rule_startswith('gruntsvc'), # Covenant default named pipe
	rule_startswith('583da945-62af-10e8-4902-a8f205c72b2e'), # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
	rule_startswith('bizkaz'), # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
	rule_startswith('atctl'), # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
	rule_startswith('userpipe'), # ruag apt case
	rule_startswith('iehelper'), # ruag apt case
	rule_startswith('sdlrpc'), # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
	rule_startswith('comnap'), # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
	rule_startswith('lsadump'), # Cred Dump-Tools Named Pipes
	rule_startswith('cachedump'), # Cred Dump-Tools Named Pipes
	rule_startswith('wceservicepipe'), # Cred Dump-Tools Named Pipes
	rule_startswith('jaccdpqnvbrrxlaf'), # PoshC2 default named pipe
	rule_startswith('svcctl'), # CrackMapExec default named pipe
	rule_startswith('csexecsvc'), # CSEXEC default named pipe
	rule_startswith('status_'), # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
	rule_startswith('MSSE-'), # CobaltStrike default named pipe
	rule_startswith('msagent_'), # (target) CobaltStrike default named pipe
	rule_startswith('postex_ssh_'), # CobaltStrike default named pipe
	rule_startswith('postex_'), # CobaltStrike default named pipe
	rule_startswith('Posh')
	]

	splunk_rules = [
	rule_startswith('msagent_'),
	rule_startswith('wkssvc'),
	rule_startswith('DserNamePipe'),
	rule_startswith('srvsvc_'),
	rule_startswith('mojo.'),
	rule_startswith('postex_'),
	rule_startswith('status_'),
	rule_startswith('MSSE-'),
	rule_startswith('spoolss_'),
	rule_startswith('win_svc'),
	rule_startswith('ntsvcs'),
	rule_startswith('winsock'),
	rule_startswith('UIA_PIPE')
	]

	falcon_rules = [
	rule_contains("msagent_"),
	rule_contains("MSSE-"),
	rule_contains("postex_"),
	rule_contains("status_"),
	rule_contains("mypipe-f"),
	rule_contains("mypipe-h"),
	rule_contains("mojo.5688.8052."),
	rule_contains("win_svc"),
	rule_contains("ntsvcs"),
	rule_contains("scerpc"),
	rule_contains("SearchTextHarvester"),
	rule_contains("DserNamePipe"),
	rule_contains("wkssvc_"),
	rule_contains("spoolss_"),
	rule_contains("CatalogChangeListener"),
	rule_contains("fullduplex_"),
	rule_contains("demoagent_"),
	rule_contains("PGMessagePipe"),
	rule_contains("MsFteWds"),
	rule_contains("postex_ssh_"),
	rule_contains("windows.update.manager"),
	rule_contains("f4c3"),
	rule_contains("f53f"),
	rule_contains("halfduplex_"),


	rule_exception("mojo\.\d+\.\d+\.", "mojo\.\d+\.\d+\.\d+$"),
	rule_exception("(edge\|chrome)\.sync\.\d+\.\d+\.", "(edge\|chrome\|edge\.sync\|chrome\.sync)\.\d+\.\d+\.\d+$"),
	rule_exception("PSHost\.\d+\.", "PSHost\.\d+\.\d+\."),
	rule_exception("crashpad_", "crashpad_\d+_[A-Z]+"),
	rule_exception("cubeb-pipe-", "cubeb-pipe-\d+_[0-9]{1-3}+"),
	rule_re("pipe\\[0-9a-f]{7,10}"),
	rule_re("pipe\\[0-9a-f]{8}")
	]

	pipename = sys.argv[1]
	print("pipepivot name IoC check (rules grabbed 17/02/2022)")
	print("Sigma rules:")
	for iocmatch in sigma_rules:
	iocmatch(pipename)


	print("Azure Sentinel rules:")
	for iocmatch in microsoft_rules:
	iocmatch(pipename)

	print("Splunk rules:")
	for iocmatch in splunk_rules:
	iocmatch(pipename)

	print("Falcon Force rules:")
	for iocmatch in falcon_rules:
	iocmatch(pipename)