search

tsale / EDR-Telemetry

This project aims to compare and evaluate the telemetry of various EDR products.
1.43k stars 141 forks source link

CrowdStrike Pipe Connection & Pipe Creation #35

Closed Guzzy711 closed 1 year ago

Guzzy711 commented 1 year ago

I think there might be an issue with Pipe Connection and Pipe Creation on the CrowdStrike field.

From reading the CrowdStrike docs, I can see that there is an eventfield called SmbClientNamedPipeConnectEtw: " An event that indicates when a machine connects to a remote SMB (Server Message Block) named pipe. The event contains the pattern id of the associated indicator and is supported on all Windows platform except 8.1 and Server 2012 R2. Captured using the ETW consumer. "

CrowdStrike also has: NamedPipeDetectInfo which has the following NamedPipeOperationType which can be:

  1. Create
  2. Open
  3. Impersonate
tsale commented 1 year ago

Hello @Guzzy711 . What is the issue and what are your suggested solution?

Guzzy711 commented 1 year ago

Hi,

I have created a PR https://github.com/tsale/EDR-Telemetry/pull/36

Guzzy711 commented 1 year ago

Was fixed with https://github.com/tsale/EDR-Telemetry/pull/36