Closed ceramicskate0 closed 2 years ago
<PipeEvent onmatch="include"> <!--NOTE: Using incide with no rules means nothing in this section will be logged--> </PipeEvent> </RuleGroup> <RuleGroup name="" groupRelation="or"> <PipeEvent onmatch="include"> <!-- Remote Command Execution Tools --> <PipeName condition="contains any">paexec;remcom;csexec</PipeName> <!-- Password or Credential Dumpers --> <PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName> <!-- Malware --> <PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName> <PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName> <!-- Cobalt Strike Pipe Names --> <PipeName condition="contains all">MSSE-;-server</PipeName> <PipeName condition="begin with">\postex_</PipeName> <PipeName condition="begin with">\postex_ssh_</PipeName> <PipeName condition="begin with">\status_</PipeName> <PipeName condition="begin with">\msagent_</PipeName> </PipeEvent> </RuleGroup>
only oding excludes on named pipes. catching most of this already due to that approach.