Skip to content

Important and relevant NamedPipe names #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2021
Merged

Important and relevant NamedPipe names #151

merged 2 commits into from
Oct 17, 2021

Conversation

Neo23x0
Copy link
Contributor

@Neo23x0 Neo23x0 commented May 27, 2021

The events generated by an explicit matches on the listed pipe names should be few and highly relevant.

@Neo23x0
Important and relevant NamedPipe names
867b37a 
The events generated by an explicit matches on the listed pipe names should be few and highly relevant.
@WojciechLesicki
Copy link

WojciechLesicki commented May 27, 2021
edited
Loading

Hi @Neo23x0,
after PR to Sigma rules (SigmaHQ/sigma#1505) I have created similar PR for sysmon:
#150
:)

I think your proposition is better because it is more universal. I, on the other hand, focused on Cobalt Strike.
But I propose to add one more:
<PipeName condition="begin with">\msagent_</PipeName>
to detect SMB Beacon communication. (according to https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/)

@Neo23x0
Copy link
Contributor Author

Neo23x0 commented May 28, 2021

@WojciechLesicki : Oh, I haven't noticed your PR. I've added the missing pipe and also added some comments.

@aaronrunkle
Copy link

aaronrunkle commented Jun 15, 2021
edited
Loading

Looks like there may be a typo - psexec, no?
<PipeName condition="contains any">paexec;remcom;csexec</PipeName>

EDIT:
Looks like paexec is a thing - https://www.poweradmin.com/paexec/

Any reason why psexec is not listed as well?

@Neo23x0
Copy link
Contributor Author

Neo23x0 commented Jun 15, 2021

No, Psexec may cause too many FPs. I intentionally tried to include only pipes that indicate unwanted or malicious behaviour.

@Neo23x0
Copy link
Contributor Author

Neo23x0 commented Jul 6, 2021

Ping

@WojciechLesicki
Copy link

Only as a reference - today similar PR from me was merged on @olafhartong repo:
olafhartong/sysmon-modular#97

As @Neo23x0 mentioned - we need this also here :)

@SwiftOnSecurity SwiftOnSecurity merged commit 1836897 into SwiftOnSecurity:master Oct 17, 2021
WojciechLesicki added a commit to WojciechLesicki/sigma that referenced this pull request Oct 18, 2021
@WojciechLesicki
Description changes acording to SwiftOnSecurity/sysmon-config#151
6c86500
@WojciechLesicki WojciechLesicki mentioned this pull request Oct 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Neo23x0 @WojciechLesicki @aaronrunkle @SwiftOnSecurity