Skip to content

New Pipes Added #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
phantinuss merged 8 commits into from
Jul 7, 2025
Merged

New Pipes Added #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
756431d
Added new named pipes
swachchhanda000 Mar 24, 2025
ce37907
metadata updated
swachchhanda000 Mar 24, 2025
0ecd762
fixed the indentation
swachchhanda000 Mar 24, 2025
10cf690
fixed indentation - 2
swachchhanda000 Mar 24, 2025
7ad57da
typo issue
swachchhanda000 Mar 24, 2025
a5225b7
Apply suggestions from code review
swachchhanda000 Jul 2, 2025
c003910
Apply suggestions from code review
swachchhanda000 Jul 2, 2025
026883f
Update sysmonconfig-export-block.xml
swachchhanda000 Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions sysmonconfig-export-block.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -946,7 +946,6 @@
<PipeName condition="begin with">\netlogon_</PipeName>
<PipeName condition="begin with">\srvsvc_</PipeName>
<PipeName condition="begin with">\lsarpc_</PipeName>
<PipeName condition="begin with">\wkssvc_</PipeName>
<!-- Havoc C2 default -->
<PipeName condition="begin with">\demon_pipe</PipeName>
<!-- Malleable C2 profiles https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 -->
Expand All @@ -957,8 +956,6 @@
<PipeName condition="begin with">\mypipe-f</PipeName>
<PipeName condition="begin with">\mypipe-h</PipeName>
<PipeName condition="begin with">\windows.update.manager</PipeName>
<PipeName condition="begin with">\ntsvcs_</PipeName>
<PipeName condition="begin with">\scerpc_</PipeName>
<!-- Malleable C2 profiles https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 -->
<PipeName condition="begin with">\demoagent_</PipeName>
<PipeName condition="begin with">\PGMessagePipe</PipeName>
Expand All @@ -970,14 +967,22 @@
<PipeName condition="begin with">\f53f</PipeName>
<PipeName condition="begin with">\rpc_</PipeName>
<PipeName condition="begin with">\spoolss_</PipeName>
<PipeName condition="begin with">\Winsock2\CatalogChangeListener</PipeName>
<PipeName condition="begin with">\win_svc</PipeName>
<PipeName condition="begin with">\SearchTextHarvester</PipeName>
<PipeName condition="begin with">\adschemerpc</PipeName> <!-- Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity -->
<PipeName condition="begin with">\AnonymousPipe</PipeName> <!-- Hidden Cobra Hoplight - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a -->
<PipeName condition="begin with">\bc367</PipeName> <!-- Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf -->
<PipeName condition="begin with">\bc31a7</PipeName> <!-- Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf -->
<PipeName condition="begin with">\testPipe</PipeName> <!-- Emissary Panda Hyerbri - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ -->
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match on malicious pipes that use the common names as a prefix -->
<!--RMM Pipe-->
<PipeName condition="is">\adprinterpipe</PipeName>
<!--Suspicious Location of Image-->
<Image condition="contains">:\PerfLogs\</Image>
<Image condition="contains">:\Users\Public\</Image>
<Image condition="contains">:\Windows\System32\Tasks\</Image>
<Image condition="contains">:\Windows\Tasks\</Image>
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match on malicious pipes that use the common names as a prefix -->
<PipeName condition="begin with">\scerpc</PipeName>
<PipeName condition="begin with">\ntsvcs</PipeName>
<PipeName condition="begin with">\wkssvc</PipeName>
Expand All @@ -988,6 +993,14 @@
<EventType condition="is">ConnectPipe</EventType>
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
</Rule>
<PipeName condition="contains">\coerced\</PipeName> <!--https://blog.hackvens.fr/articles/CoercedPotato.html-->
<PipeName condition="contains">thisispipe</PipeName> <!-- DiagTrackEoP Default Named Pipe-->
<PipeName condition="contains">\pipe\</PipeName> <!--EfsPotato Named Pipe Creation-->
<PipeName condition="contains any">\imposecost;\imposingcost</PipeName> <!--Koh Default Named Pipe-->
<PipeName condition="begin with">\PAExec</PipeName> <!--PAExec default named pipe-->
<PipeName condition="contains">\RemCom</PipeName> <!--RemCom Default Named Pipe-->
<PipeName condition="contains">\PSEXESVC</PipeName> <!--PsExec Tool PipeName-->
<PipeName condition="contains">\PSEXECSVC</PipeName> <!--Implementation of PsExec in another form like python, CSharp etc-->
</PipeEvent>
</RuleGroup>
<!-- Common Pipe Names to would appear very often in -->
Expand All @@ -997,6 +1010,14 @@
<PipeName condition="is">\scerpc</PipeName>
<PipeName condition="is">\ntsvcs</PipeName>
<PipeName condition="is">\wkssvc</PipeName>
<PipeName condition="is">\MsFteWds</PipeName>
<PipeName condition="is">\PGMessagePipe</PipeName>
<PipeName condition="is">\SearchTextHarvester</PipeName>
<PipeName condition="is">\spoolss</PipeName>
<PipeName condition="is">\srvsvc</PipeName>
<!--Aurora Default Pipe-->
<Image condition="end with">\aurora-agent-64.exe</Image>
<Image condition="end with">\aurora-agent.exe</Image>
</PipeEvent>
</RuleGroup>

Expand Down
28 changes: 25 additions & 3 deletions sysmonconfig-export.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -990,7 +990,6 @@
<PipeName condition="begin with">\netlogon_</PipeName>
<PipeName condition="begin with">\srvsvc_</PipeName>
<PipeName condition="begin with">\lsarpc_</PipeName>
<PipeName condition="begin with">\wkssvc_</PipeName>
<!-- Havoc C2 default -->
<PipeName condition="begin with">\demon_pipe</PipeName>
<!-- Malleable C2 profiles https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 -->
Expand All @@ -1001,8 +1000,6 @@
<PipeName condition="begin with">\mypipe-f</PipeName>
<PipeName condition="begin with">\mypipe-h</PipeName>
<PipeName condition="begin with">\windows.update.manager</PipeName>
<PipeName condition="begin with">\ntsvcs_</PipeName>
<PipeName condition="begin with">\scerpc_</PipeName>
<!-- Malleable C2 profiles https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 -->
<PipeName condition="begin with">\demoagent_</PipeName>
<PipeName condition="begin with">\PGMessagePipe</PipeName>
Expand All @@ -1014,13 +1011,22 @@
<PipeName condition="begin with">\f53f</PipeName>
<PipeName condition="begin with">\rpc_</PipeName>
<PipeName condition="begin with">\spoolss_</PipeName>
<PipeName condition="begin with">\Winsock2\CatalogChangeListener</PipeName>
<PipeName condition="begin with">\win_svc</PipeName>
<PipeName condition="begin with">\SearchTextHarvester</PipeName>
<PipeName condition="begin with">\adschemerpc</PipeName> <!-- Turla HyperStack - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity -->
<PipeName condition="begin with">\AnonymousPipe</PipeName> <!-- Hidden Cobra Hoplight - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a -->
<PipeName condition="begin with">\bc367</PipeName> <!-- Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf -->
<PipeName condition="begin with">\bc31a7</PipeName> <!-- Pacifier - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf -->
<PipeName condition="begin with">\testPipe</PipeName> <!-- Emissary Panda Hyerbri - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ -->
<!--RMM Pipe-->
<PipeName condition="is">\adprinterpipe</PipeName>
<!--Suspicious Location of Image-->
<Image condition="contains">:\PerfLogs\</Image>
<Image condition="contains">:\Users\Public\</Image>
<Image condition="contains">:\Windows\System32\Tasks\</Image>
<Image condition="contains">:\Windows\Tasks\</Image>
<Image condition="contains">\Microsoft\Windows\Start Menu\Programs\Startup\</Image>
<!-- these are standard pipes that appear frequently but the Sigma rules use RE to match on malicious pipes that use the common names as a prefix -->
<PipeName condition="begin with">\scerpc</PipeName>
<PipeName condition="begin with">\ntsvcs</PipeName>
Expand All @@ -1032,6 +1038,14 @@
<EventType condition="is">ConnectPipe</EventType>
<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- https://github.com/SigmaHQ/sigma/pull/2128 -->
</Rule>
<PipeName condition="contains">\coerced\</PipeName> <!--https://blog.hackvens.fr/articles/CoercedPotato.html-->
<PipeName condition="contains">thisispipe</PipeName> <!-- DiagTrackEoP Default Named Pipe-->
<PipeName condition="contains">\pipe\</PipeName> <!--EfsPotato Named Pipe Creation-->
<PipeName condition="contains any">\imposecost;\imposingcost</PipeName> <!--Koh Default Named Pipe-->
<PipeName condition="begin with">\PAExec</PipeName> <!--PAExec default named pipe-->
<PipeName condition="contains">\RemCom</PipeName> <!--RemCom Default Named Pipe-->
<PipeName condition="contains">\PSEXESVC</PipeName> <!--PsExec Tool PipeName-->
<PipeName condition="contains">\PSEXECSVC</PipeName> <!--Implementation of PsExec in another form like python, CSharp etc-->
</PipeEvent>
</RuleGroup>
<!-- Common Pipe Names to would appear very often in -->
Expand All @@ -1041,6 +1055,14 @@
<PipeName condition="is">\scerpc</PipeName>
<PipeName condition="is">\ntsvcs</PipeName>
<PipeName condition="is">\wkssvc</PipeName>
<PipeName condition="is">\MsFteWds</PipeName>
<PipeName condition="is">\PGMessagePipe</PipeName>
<PipeName condition="is">\SearchTextHarvester</PipeName>
<PipeName condition="is">\spoolss</PipeName>
<PipeName condition="is">\srvsvc</PipeName>
<!--Aurora Default Pipe-->
<Image condition="end with">\aurora-agent-64.exe</Image>
<Image condition="end with">\aurora-agent.exe</Image>
</PipeEvent>
</RuleGroup>

Expand Down