Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/pipe_created/pipe_created_tool_psexec.yml

@@ -0,0 +1,49 @@
+
+title: PsExec Tool Execution
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+  Sysmon)
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSEXESVC
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
+level: low
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029

rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml

@@ -0,0 +1,41 @@
+
+title: Alternate PowerShell Hosts Pipe
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSHost*
+  SELECTION_4:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\WINDOWS\System32\sdiagnhost.exe'
+    - '*\WINDOWS\System32\wsmprovhost.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not (SELECTION_4))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter.
+fields:
+- ComputerName
+- User
+- Image
+- PipeName
+id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
+level: medium
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2021/12/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001

rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml

@@ -0,0 +1,41 @@
+
+title: Turla Group Named Pipes
+ruletype: Sigma
+author: Markus Neis
+date: 2017/11/06
+description: Detects a named pipe used by Turla group samples
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \atctl
+    - \userpipe
+    - \iehelper
+    - \sdlrpc
+    - \comnap
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 739915e4-1e70-4778-8b8a-17db02f66db1
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/11/27
+references:
+- Internal Research
+- https://attack.mitre.org/groups/G0010/
+status: test
+tags:
+- attack.g0010
+- attack.execution
+- attack.t1106

rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml

@@ -0,0 +1,42 @@
+
+title: Cred Dump-Tools Named Pipes
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Detects well-known credential dumping tools execution via specific named
+  pipes
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - '*\lsadump*'
+    - '*\cachedump*'
+    - '*\wceservicepipe*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005

rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml

@@ -0,0 +1,37 @@
+
+title: EfsPotato Named Pipe
+ruletype: Sigma
+author: Florian Roth
+date: 2021/08/23
+description: Detects the pattern of a pipe name as used by the tool EfsPotato
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - '*\pipe\\*'
+    - '*\pipe\srvsvc*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+references:
+- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
+- https://github.com/zcgonvh/EfsPotato
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml

@@ -0,0 +1,49 @@
+
+title: CobaltStrike Named Pipe
+ruletype: Sigma
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/25
+description: Detects the creation of a named pipe as used by CobaltStrike
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: '*\MSSE-*'
+  SELECTION_4:
+    PipeName: '*-server*'
+  SELECTION_5:
+    PipeName: \postex_*
+  SELECTION_6:
+    PipeName: \postex_ssh_*
+  SELECTION_7:
+    PipeName: \status_*
+  SELECTION_8:
+    PipeName: \msagent_*
+  condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 and SELECTION_4) or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    always use Cobalt Strike, but also you can check powershell script from this site
+    https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+references:
+- https://twitter.com/d4rksystem/status/1357010969264873472
+- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
+- https://github.com/Neo23x0/sigma/issues/253
+- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml

@@ -0,0 +1,79 @@
+
+title: CobaltStrike Named Pipe Pattern Regex
+ruletype: Sigma
+author: Florian Roth
+date: 2021/07/30
+description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
+  Malleable C2 profiles
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_10:
+    PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
+  SELECTION_11:
+    PipeName|re: \\\\scerpc_?[0-9a-f]{2}
+  SELECTION_12:
+    PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
+  SELECTION_13:
+    PipeName|re: \\\\MsFteWds[0-9a-f]{2}
+  SELECTION_14:
+    PipeName|re: \\\\f4c3[0-9a-f]{2}
+  SELECTION_15:
+    PipeName|re: \\\\fullduplex_[0-9a-f]{2}
+  SELECTION_16:
+    PipeName|re: \\\\msrpc_[0-9a-f]{4}
+  SELECTION_17:
+    PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
+  SELECTION_18:
+    PipeName|re: \\\\f53f[0-9a-f]{2}
+  SELECTION_19:
+    PipeName|re: \\\\rpc_[0-9a-f]{2}
+  SELECTION_2:
+    EventID: 18
+  SELECTION_20:
+    PipeName|re: \\\\spoolss_[0-9a-f]{2}
+  SELECTION_21:
+    PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
+  SELECTION_3:
+    PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
+  SELECTION_4:
+    PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
+  SELECTION_5:
+    PipeName|re: \\\\ntsvcs[0-9a-f]{2}
+  SELECTION_6:
+    PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
+  SELECTION_7:
+    PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
+  SELECTION_8:
+    PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
+  SELECTION_9:
+    PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
+  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
+    SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
+    SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or
+    SELECTION_21))
+falsepositives:
+- Unknown
+id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g.
+    https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
+    How to test detection? You can always use Cobalt Strike, but also you can check
+    powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/09/02
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/pipe_created/sysmon_mal_namedpipes.yml

@@ -0,0 +1,71 @@
+
+title: Malicious Named Pipe
+ruletype: Sigma
+author: Florian Roth, blueteam0ps, elhoim
+date: 2017/11/06
+description: Detects the creation of a named pipe used by known APT malware
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \isapi_http
+    - \isapi_dg
+    - \isapi_dg2
+    - \sdlrpc
+    - \ahexec
+    - \winsession
+    - \lsassw
+    - \46a676ab7f179e511e30dd2dc41bd388
+    - \9f81f59bc58452127884ce513865ed20
+    - \e710f28d59aa529d6792ca6ff0ca1b34
+    - \rpchlp_3
+    - \NamePipe_MoreWindows
+    - \pcheap_reuse
+    - \gruntsvc
+    - \583da945-62af-10e8-4902-a8f205c72b2e
+    - \bizkaz
+    - \svcctl
+    - \Posh*
+    - \jaccdpqnvbrrxlaf
+    - \csexecsvc
+    - \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
+    - \adschemerpc
+    - \AnonymousPipe
+    - \bc367
+    - \bc31a7
+    - \testPipe
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/10/30
+references:
+- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
+- https://securelist.com/faq-the-projectsauron-apt/75533/
+- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+- https://www.us-cert.gov/ncas/alerts/TA17-117A
+- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
+- https://thedfirreport.com/2020/06/21/snatch-ransomware/
+- https://github.com/RiccardoAncarani/LiquidSnake
+- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
+- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
+- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml

@@ -0,0 +1,28 @@
+
+title: T1086 PowerShell Execution
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects execution of PowerShell
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSHost*
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
+level: informational
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001

rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml

@@ -0,0 +1,38 @@
+
+title: PsExec Pipes Artifacts
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/05/10
+description: Detecting use PsExec via Pipe Creation/Access to pipes
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - psexec*
+    - paexec*
+    - remcom*
+    - csexec*
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitimate Administrator activity
+id: 9e77ed63-2ecf-4c7b-b09d-640834882028
+level: medium
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/11/27
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002

rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml

@@ -0,0 +1,42 @@
+
+title: ADFS Database Named Pipe Connection
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2021/10/08
+description: Detects suspicious local connections via a named pipe to the AD FS configuration
+  database (Windows Internal Database). Used to access information such as the AD
+  FS configuration settings which contains sensitive information used to sign SAML
+  tokens.
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \MICROSOFT##WID\tsql\query
+  SELECTION_4:
+    Image:
+    - '*Microsoft.IdentityServer.ServiceHost.exe'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
+    - '*AzureADConnect.exe'
+    - '*Microsoft.Tri.Sensor.exe'
+    - '*wsmprovhost.exe'
+    - '*mmc.exe'
+    - '*sqlservr.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not (SELECTION_4))
+falsepositives:
+- Processes in the filter condition
+id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
+level: critical
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2021/11/07
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
+- https://o365blog.com/post/adfs/
+- https://github.com/Azure/SimuLand
+status: experimental
+tags:
+- attack.collection
+- attack.t1005

rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml

@@ -0,0 +1,77 @@
+
+title: CobaltStrike Named Pipe Patterns
+ruletype: Sigma
+author: Florian Roth, Christian Burkard
+date: 2021/07/30
+description: Detects the creation of a named pipe with a pattern found in CobaltStrike
+  malleable C2 profiles
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \mojo.5688.8052.183894939787088877*
+    - \mojo.5688.8052.35780273329370473*
+    - \mypipe-f*
+    - \mypipe-h*
+    - \ntsvcs*
+    - \scerpc*
+    - \win_svc*
+    - \spoolss*
+    - \msrpc_*
+    - \win\msrpc_*
+    - \wkssvc*
+    - \f53f*
+    - \windows.update.manager*
+    - \SearchTextHarvester*
+    - \DserNamePipe*
+    - \PGMessagePipe*
+    - \MsFteWds*
+    - \f4c3*
+    - \fullduplex_*
+    - \rpc_*
+  SELECTION_4:
+    PipeName:
+    - \demoagent_11
+    - \demoagent_22
+  SELECTION_5:
+    PipeName: \Winsock2\CatalogChangeListener-*
+  SELECTION_6:
+    PipeName: '*-0,'
+  SELECTION_7:
+    PipeName:
+    - \wkssvc
+    - \spoolss
+    - \scerpc
+    - \ntsvcs
+    - \SearchTextHarvester
+    - \PGMessagePipe
+    - \MsFteWds
+  condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 or SELECTION_4) or (SELECTION_5
+    and SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Chrome instances using the exactly same name pipe named mojo.something
+id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
+level: high
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g.
+    https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
+    How to test detection? You can always use Cobalt Strike, but also you can check
+    powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+modified: 2021/08/26
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml

@@ -0,0 +1,33 @@
+
+title: WMI Event Consumer Created Named Pipe
+ruletype: Sigma
+author: Florian Roth
+date: 2021/09/01
+description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    Image: '*\scrcons.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
+level: high
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
+    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
+    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+    https://github.com/olafhartong/sysmon-modular. How to test detection? You can
+    check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+  product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.t1047
+- attack.execution