Skip to content

Commit 3b1f323

Browse files
Neo23x0Neo23x0
committed
fix: position of PipeEvent
1 parent 3c249b9 commit 3b1f323

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

sysmonconfig-export.xml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -967,11 +967,11 @@
967967
<!-- Other specific named pipes -->
968968
<PipeName condition="contains">6e7645c4-32c5-4fe3-aabf-e94c2f4370e7</PipeName> <!-- LiquidSnake hacktool https://github.com/RiccardoAncarani/LiquidSnake -->
969969
<Image condition="end with">\scrcons.exe</Image> <!-- Susupicious WMI Event Consumer creating a named pipe -->
970-
<!-- Some interesting ConnectPipe events that we want to include -->
971-
<PipeEvent onmatch="include">
972-
<EventType condition="is">ConnectPipe</EventType>
973-
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
974-
</PipeEvent>
970+
</PipeEvent>
971+
<!-- Some interesting ConnectPipe events that we want to include -->
972+
<PipeEvent onmatch="include">
973+
<EventType condition="is">ConnectPipe</EventType>
974+
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
975975
</PipeEvent>
976976
</RuleGroup>
977977
<!-- Common Pipe Names to would appear very often in -->

0 commit comments

Comments
 (0)