Closed Neo23x0 closed 2 years ago
Hi @Neo23x0, after PR to Sigma rules (https://github.com/SigmaHQ/sigma/pull/1505) I have created similar PR for sysmon: https://github.com/SwiftOnSecurity/sysmon-config/pull/150 :)
I think your proposition is better because it is more universal. I, on the other hand, focused on Cobalt Strike.
But I propose to add one more:
<PipeName condition="begin with">\msagent_</PipeName>
to detect SMB Beacon communication. (according to https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/)
@WojciechLesicki : Oh, I haven't noticed your PR. I've added the missing pipe and also added some comments.
Looks like there may be a typo - psexec, no?
<PipeName condition="contains any">paexec;remcom;csexec</PipeName>
EDIT: Looks like paexec is a thing - https://www.poweradmin.com/paexec/
Any reason why psexec is not listed as well?
No, Psexec may cause too many FPs. I intentionally tried to include only pipes that indicate unwanted or malicious behaviour.
Ping
Only as a reference - today similar PR from me was merged on @olafhartong repo: https://github.com/olafhartong/sysmon-modular/pull/97
As @Neo23x0 mentioned - we need this also here :)
The events generated by an explicit matches on the listed pipe names should be few and highly relevant.