Skip to content

Commit a23727f

Browse files
Neo23x0Neo23x0
committed
ConnectPipe for \MICROSOFT##WID\tsql\query
1 parent 0ea30fe commit a23727f

1 file changed

Lines changed: 12 additions & 5 deletions

File tree

sysmonconfig-export.xml

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -960,7 +960,7 @@
960960
<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
961961
<PipeName condition="end with">-0,</PipeName>
962962
</Rule>
963-
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match exactly -->
963+
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match on malicious pipes that use the common names as a prefix -->
964964
<PipeName condition="begin with">\scerpc</PipeName>
965965
<PipeName condition="begin with">\ntsvcs</PipeName>
966966
<PipeName condition="begin with">\wkssvc</PipeName>
@@ -969,16 +969,23 @@
969969
<Image condition="end with">\scrcons.exe</Image> <!-- Susupicious WMI Event Consumer creating a named pipe -->
970970
</PipeEvent>
971971
</RuleGroup>
972-
<!-- we skip the connect pipe event since they could be to noisy and a CreatePipe event should come before these -->
973-
<RuleGroup name="" groupRelation="or">
972+
<!-- Common Pipe Names to would appear very often in -->
973+
<RuleGroup name="CommonPipes" groupRelation="or">
974974
<PipeEvent onmatch="exclude">
975-
<EventType condition="is">ConnectPipe</EventType>
976-
<!-- the standard named pipes used by Windows services (we want only the ones that begin with these names)-->
975+
<!-- the standard named pipes used by Windows services (we want only the ones that begin with these names) -->
977976
<PipeName condition="is">\scerpc</PipeName>
978977
<PipeName condition="is">\ntsvcs</PipeName>
979978
<PipeName condition="is">\wkssvc</PipeName>
980979
</PipeEvent>
981980
</RuleGroup>
981+
<!-- ConnectPipe Events -->
982+
<!-- Some interesting ConnectPipe events that we want to include -->
983+
<RuleGroup name="InterestingConnectPipe" groupRelation="and">
984+
<PipeEvent onmatch="include">
985+
<EventType condition="is">ConnectPipe</EventType>
986+
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
987+
</PipeEvent>
988+
</RuleGroup>
982989

983990
<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
984991
<!--EVENT 19: "WmiEventFilter activity detected"-->

0 commit comments

Comments
 (0)