More network monitoring

Changes:
- Monitor proxy server changes
- Monitor writing Office macro documents
- ngen/ngentask filtering
- Now monitoring net.exe, sec.exe, qwinstal.exe, and sensitive ports,
thanks to @ion-storm
- Cleaned up NamedPipe area in sysmonconfig
- Adding extra-NamedPipes.xml to show what I'm testing internally

Author: SwiftOnSecurity

extra-NamedPipes.xml

@@ -0,0 +1,21 @@
+<!--Addendum file for sysmon-config.xml which enables PipeEvent monitoring when merged. Currently under development.-->
+
+		<PipeEvent onmatch="exclude">
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<!--SECTION: Webroot-->
+			<PipeName condition="is">\WRSVCPipe</PipeName>
+			<PipeName condition="is">\WRSynUM2</PipeName>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<!--SECTION: Google-->
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<!--SECTION: Other-->
+			<Image condition="end with">slack.exe</Image>
+		</PipeEvent>