headless_bee

Author: tccontre

detections/endpoint/windows_anonymous_pipe_activity.yml

@@ -10,7 +10,7 @@ data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
 search: '`sysmon` EventCode IN (17,18) PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*"))
-    | rename Image as process_name 
+  | rename Image as process_name 
   | stats  min(_time) as firstTime max(_time) as lastTime count by dest user EventCode PipeName signature process_name process_id process_guid EventType 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`