Skip to content

Commit

Permalink
Rule: suspicious pipes extended
Browse files Browse the repository at this point in the history 
SigmaHQ#253
  • Loading branch information
Florian Roth committed Feb 21, 2019
1 parent 343a40c commit d3b623e
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions rules/windows/sysmon/sysmon_mal_namedpipes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ detection:
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
- '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
condition: selection
tags:
- attack.defense_evasion
Expand Down

0 comments on commit d3b623e

Please sign in to comment.