From f102b2d9a1149458069931c41f20bbc786c29a44 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:07:18 +0200 Subject: [PATCH] docs: note to improved sysmon config --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 3075d846d..896120677 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 97b9e587d..163056486 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index c9a3da840..da7bb0a7e 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_malleable_profiles: PipeName|startswith: