valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #565 from RiccardoAncarani/master

Browse Source 
Add Covenant default named pipe
This commit is contained in:
Florian Roth 2020-01-29 20:28:00 +01:00 committed by GitHub
commit 376092cfd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/windows/sysmon/sysmon_mal_namedpipes.yml
View File

@ -30,6 +30,7 @@ detection:
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
- '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
- '\gruntsvc' # Covenant default named pipe
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
condition: selection
tags: