search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.68k stars 1.69k forks source link

Important and relevant NamedPipe names #151

Closed Neo23x0 closed 2 years ago

Neo23x0 commented 3 years ago

The events generated by an explicit matches on the listed pipe names should be few and highly relevant.

WojciechLesicki commented 3 years ago

Hi @Neo23x0, after PR to Sigma rules (https://github.com/SigmaHQ/sigma/pull/1505) I have created similar PR for sysmon: https://github.com/SwiftOnSecurity/sysmon-config/pull/150 :)

I think your proposition is better because it is more universal. I, on the other hand, focused on Cobalt Strike. But I propose to add one more: <PipeName condition="begin with">\msagent_</PipeName> to detect SMB Beacon communication. (according to https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/)

Neo23x0 commented 3 years ago

@WojciechLesicki : Oh, I haven't noticed your PR. I've added the missing pipe and also added some comments.

aaronrunkle commented 3 years ago

Looks like there may be a typo - psexec, no? <PipeName condition="contains any">paexec;remcom;csexec</PipeName>

EDIT: Looks like paexec is a thing - https://www.poweradmin.com/paexec/

Any reason why psexec is not listed as well?

Neo23x0 commented 3 years ago

No, Psexec may cause too many FPs. I intentionally tried to include only pipes that indicate unwanted or malicious behaviour.

Neo23x0 commented 3 years ago

Ping

WojciechLesicki commented 3 years ago

Only as a reference - today similar PR from me was merged on @olafhartong repo: https://github.com/olafhartong/sysmon-modular/pull/97

As @Neo23x0 mentioned - we need this also here :)