Skip to content

Commit ae35ee4

Browse files
phantinussphantinuss
authored
Merge pull request #19 from Neo23x0/config-devel
ConnectPipe for \MICROSOFT##WID\tsql\query
2 parents c327298 + 0681c23 commit ae35ee4

1 file changed

Lines changed: 8 additions & 5 deletions

File tree

sysmonconfig-export.xml

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -960,20 +960,23 @@
960960
<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
961961
<PipeName condition="end with">-0,</PipeName>
962962
</Rule>
963-
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match exactly -->
963+
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match on malicious pipes that use the common names as a prefix -->
964964
<PipeName condition="begin with">\scerpc</PipeName>
965965
<PipeName condition="begin with">\ntsvcs</PipeName>
966966
<PipeName condition="begin with">\wkssvc</PipeName>
967967
<!-- Other specific named pipes -->
968968
<PipeName condition="contains">6e7645c4-32c5-4fe3-aabf-e94c2f4370e7</PipeName> <!-- LiquidSnake hacktool https://github.com/RiccardoAncarani/LiquidSnake -->
969969
<Image condition="end with">\scrcons.exe</Image> <!-- Susupicious WMI Event Consumer creating a named pipe -->
970+
<Rule groupRelation="and"> <!-- Some interesting ConnectPipe events that we want to include -->
971+
<EventType condition="is">ConnectPipe</EventType>
972+
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
973+
</Rule>
970974
</PipeEvent>
971975
</RuleGroup>
972-
<!-- we skip the connect pipe event since they could be to noisy and a CreatePipe event should come before these -->
973-
<RuleGroup name="" groupRelation="or">
976+
<!-- Common Pipe Names to would appear very often in -->
977+
<RuleGroup name="CommonPipes" groupRelation="or">
974978
<PipeEvent onmatch="exclude">
975-
<EventType condition="is">ConnectPipe</EventType>
976-
<!-- the standard named pipes used by Windows services (we want only the ones that begin with these names)-->
979+
<!-- the standard named pipes used by Windows services (we want only the ones that begin with these names) -->
977980
<PipeName condition="is">\scerpc</PipeName>
978981
<PipeName condition="is">\ntsvcs</PipeName>
979982
<PipeName condition="is">\wkssvc</PipeName>

0 commit comments

Comments
 (0)