NullSessionPipe Registry Modification for Lateral Movement

This detection rule identifies modifications to the NullSessionPipe registry setting in Windows. This setting defines named pipes that can be accessed without authentication, facilitating anonymous connections. Adversaries may exploit this by modifying the registry to enable lateral movement, allowing unauthorized access to network resources. By adding specific pipes to the NullSessionPipes registry key, an attacker can make services accessible without requiring authentication. This rule focuses on flagging modifications that introduce new accessible pipes, which could indicate malicious intent. The targeted configuration is located under HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. The registry key NullSessionPipes is of particular interest when its values change.

Attack Chain

1. Initial compromise of a system within the network.
2. The attacker gains elevated privileges on the compromised system.
3. The attacker modifies the Windows Registry, specifically the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes key. They add a new pipe name to this key, which will allow unauthenticated access to that named pipe.
4. The attacker uses reg.exe or PowerShell to modify the registry, potentially using commands like reg add or Set-ItemProperty.
5. A remote system attempts to connect to the newly accessible named pipe on the compromised system without authenticating.
6. The attacker exploits the now-accessible service or application associated with the named pipe to execute commands or transfer data.
7. The attacker leverages this access to move laterally within the network, compromising additional systems.

Impact

Successful modification of the NullSessionPipes registry setting can lead to unauthorized access to sensitive resources and lateral movement within the network. By enabling anonymous access to named pipes, attackers can potentially bypass authentication mechanisms and gain control over critical systems. While the direct number of victims is not specified, the impact can be significant, particularly in organizations where shared resources and services rely on secure authentication protocols.

Recommendation

• Enable Windows Registry auditing to capture changes to the NullSessionPipes registry key. This will allow you to detect unauthorized modifications as described in the overview.
• Deploy the Sigma rule “NullSessionPipe Registry Modification” to your SIEM and tune for your environment to identify malicious activity related to named pipe modifications.
• Investigate any alerts generated by the Sigma rule, focusing on the specific named pipes being added or modified in the registry event details, as detailed in the rule’s description.
• Regularly review and validate the legitimacy of existing entries in the NullSessionPipes registry key to identify and remove any unauthorized pipes.