File tree Expand file tree Collapse file tree 2 files changed +23
-23
lines changed Expand file tree Collapse file tree 2 files changed +23
-23
lines changed Original file line number Diff line number Diff line change @@ -17,32 +17,32 @@ data_source:
1717- Sysmon EventID 17
1818- Sysmon EventID 18
1919search : |
20- `sysmon` EventID=17 OR EventID=18
20+ `sysmon` ( EventID=17 OR EventID=18)
2121 PipeName IN (
22- \\DserNamePipe*,
23- \\interprocess_*,
24- \\lsarpc_*,
25- \\mojo_*,
26- \\msagent_*,
27- \\MSSE-*,
28- \\netlogon_*,
29- \\ntsvcs*,
30- \\postex_*,
31- \\samr_*,
32- \\spoolss_*,
33- \\srvsvc_*,
34- \\status_*,
35- \\UIA_PIPE*
36- \\win_svc*,
37- \\winsock*,
38- \\wkssvc_*,
22+ " \\DserNamePipe*",
23+ " \\interprocess_*" ,
24+ " \\lsarpc_*" ,
25+ " \\mojo_*" ,
26+ " \\msagent_*",
27+ " \\MSSE-*",
28+ " \\netlogon_*" ,
29+ " \\ntsvcs*" ,
30+ " \\postex_*",
31+ " \\samr_*" ,
32+ " \\spoolss_*",
33+ " \\srvsvc_*",
34+ " \\status_*",
35+ " \\UIA_PIPE" *
36+ " \\win_svc*",
37+ " \\winsock*",
38+ " \\wkssvc_*" ,
3939 )
4040 | stats count min(_time) as firstTime max(_time) as lastTime
4141 by dest dvc pipe_name process_exec process_guid process_id process_name process_path
42- signature signature_id user_id vendor_product Image PipeName
42+ signature signature_id user_id vendor_product Image PipeName
4343 | `security_content_ctime(firstTime)`
44- | `security_content_ctime(lastTime)`
45- | `cobalt_strike_named_pipes_filter`'
44+ | `security_content_ctime(lastTime)`
45+ | `cobalt_strike_named_pipes_filter`
4646how_to_implement : To successfully implement this search, you need to be ingesting
4747 logs with the process name, parent process, and command-line executions from your
4848 endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Original file line number Diff line number Diff line change @@ -31,7 +31,7 @@ search: |
3131 "sqltoolsps.exe"
3232 )
3333 `process_copy`
34- Processes.process IN(
34+ Processes.process IN (
3535 "* \"C:\\Windows\\System32\\*",
3636 "* \'C:\\Windows\\System32\\*",
3737 "* C:\\Windows\\System32\\*",
@@ -48,7 +48,7 @@ search: |
4848 | `drop_dm_object_name(Processes)`
4949 | `security_content_ctime(firstTime)`
5050 | `security_content_ctime(lastTime)`
51- | `suspicious_copy_on_system32_filter`'
51+ | `suspicious_copy_on_system32_filter`
5252how_to_implement : |
5353 The detection is based on data that originates from Endpoint Detection
5454 and Response (EDR) agents. These agents are designed to provide security-related
You can’t perform that action at this time.
0 commit comments