From 38552e98cf850ee52ff77a03033ba30c81413fc7 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Tue, 25 May 2021 15:47:34 +0200
Subject: [PATCH] Adding some pipes

---
 rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
index 958bb676a..32d6de754 100644
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@@ -17,13 +17,15 @@ logsource:
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17)'
 detection:
-   selection_start:
+   selection_MSSE_start:
       PipeName|startswith: '\MSSE-' 
-   selection_end:
+   selection_MSSE_end:
       PipeName|endswith: '-server'
-   selection_others:
+   selection_postex:
+      PipeName|startswith: '\postex_'
+   selection_msagent:
       PipeName|startswith: '\msagent_'
-   condition: selection_start and selection_end
+   condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_msagent 
 falsepositives:
    - Unknown
 level: critical