Skip to content

Commit 0681c23

Browse files
phantinussphantinuss
authored
Update sysmonconfig-export.xml
1 parent 3b1f323 commit 0681c23

1 file changed

Lines changed: 4 additions & 5 deletions

File tree

sysmonconfig-export.xml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -967,11 +967,10 @@
967967
<!-- Other specific named pipes -->
968968
<PipeName condition="contains">6e7645c4-32c5-4fe3-aabf-e94c2f4370e7</PipeName> <!-- LiquidSnake hacktool https://github.com/RiccardoAncarani/LiquidSnake -->
969969
<Image condition="end with">\scrcons.exe</Image> <!-- Susupicious WMI Event Consumer creating a named pipe -->
970-
</PipeEvent>
971-
<!-- Some interesting ConnectPipe events that we want to include -->
972-
<PipeEvent onmatch="include">
973-
<EventType condition="is">ConnectPipe</EventType>
974-
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
970+
<Rule groupRelation="and"> <!-- Some interesting ConnectPipe events that we want to include -->
971+
<EventType condition="is">ConnectPipe</EventType>
972+
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
973+
</Rule>
975974
</PipeEvent>
976975
</RuleGroup>
977976
<!-- Common Pipe Names to would appear very often in -->

0 commit comments

Comments
 (0)