Hidden Insider Threats - Hunting the adversary Pipes

Author(s): Almog Ohayon
Category: APT
Duration: 45
Summary: Lateral movement over Named Pipes is a great method to evade defenders and it was being used in many well-known APTs such as Duqu, Regin, APT28 and many more.

With malware-less running in-memory and encrypted named pipes running over default windows SMB, it’s almost impossible to identify such malicious activity.

Attackers’ point of view is ROI driven and they will do anything to hide themselves within legitimate appearance in your network to keep their operation alive.

In this lecture we will explore named pipe and its capabilities, how it’s being used to evade detection, why advanced attackers are leveraging it and what can defender do to find these mysterious pipes.

Likes: 0

Comments

daveaitel

Are we going to cover mailslots too? :)


spongepat

Just like COM, named pipes are the (past) future of Windows vulnerabilities :)