File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 935935 <PipeName condition =" begin with" PipeName >
936936 <PipeName condition =" begin with" PipeName >
937937 <PipeName condition =" begin with" PipeName >
938+ <!-- Malleable C2 profiles https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 -->
939+ <PipeName condition =" begin with" PipeName >
940+ <PipeName condition =" begin with" PipeName >
941+ <PipeName condition =" begin with" PipeName >
942+ <PipeName condition =" begin with" PipeName >
943+ <PipeName condition =" begin with" PipeName >
944+ <PipeName condition =" begin with" PipeName >
945+ <PipeName condition =" begin with" PipeName >
946+ <PipeName condition =" begin with" PipeName >
947+ <PipeName condition =" begin with" PipeName >
948+ <PipeName condition =" begin with" PipeName >
949+ <PipeName condition =" begin with" PipeName >
950+ <PipeName condition =" begin with" PipeName >
951+ <Rule groupRelation =" and" <!-- would be noisy otherwise as \Winsock2\CatalogchangeListener-???-0 is a legitimate pipe name -->
952+ <PipeName condition =" begin with" PipeName >
953+ <PipeName condition =" end with" PipeName >
954+ </Rule >
938955 <!-- these are standard pipes that appear frequently but the Sigma rules use RE to match exactly -->
939956 <PipeName condition =" begin with" PipeName >
940957 <PipeName condition =" begin with" PipeName >
You can’t perform that action at this time.
0 commit comments