From affc929c3b49e3d3cbdb1cfce4cebc7e01573467 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 1 Sep 2021 13:54:47 +0200
Subject: [PATCH] LiquidSnake named pipe

---
 rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
index e425bf51..f8fbc077 100644
--- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
+++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
@@ -34,6 +34,7 @@ detection:
          - '\Posh*' #PoshC2 default 
          - '\jaccdpqnvbrrxlaf' #PoshC2 default 
          - '\csexecsvc' #CSEXEC default
+         - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake
    condition: selection
 tags:
     - attack.defense_evasion