valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added also \status_ pipe.

Browse Source
This commit is contained in:
WojciechLesicki 2021-05-25 21:58:22 +02:00
parent f1a0308e73
commit 8b707bc948
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
View File

@ -26,9 +26,11 @@ detection:
PipeName|startswith: '\postex_'
selection_postex_ssh:
PipeName|startswith: '\postex_ssh_'
selection_status:
PipeName|startswith: '\status_'
selection_msagent:
PipeName|startswith: '\msagent_'
condition: selection_MSSE_start and selection_MSSE_end or selection_postex or or selection_postex_ssh or selection_msagent
condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_postex_ssh or selection_status or selection_msagent
falsepositives:
- Unknown
level: critical