forked from SwiftOnSecurity/sysmon-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
extra-NamedPipes.xml
21 lines (20 loc) · 1.21 KB
/
extra-NamedPipes.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<!--Addendum file for sysmon-config.xml which enables PipeEvent monitoring when merged. Currently under development.-->
<PipeEvent onmatch="exclude">
<!--COMMENT: Exclude known-good pipe users-->
<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
<!--SECTION: Microsoft-->
<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
<!--SECTION: Webroot-->
<PipeName condition="is">\WRSVCPipe</PipeName>
<PipeName condition="is">\WRSynUM2</PipeName>
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
<!--SECTION: Google-->
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<!--SECTION: Other-->
<Image condition="end with">slack.exe</Image>
</PipeEvent>