From 867b37a48b739fbea8b0b207ea678b4de2090538 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 27 May 2021 19:42:26 +0200
Subject: [PATCH 1/2] Important and relevant NamedPipe names

The events generated by an explicit matches on the listed pipe names should be few and highly relevant.
---
 sysmonconfig-export.xml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f4acf26..0a5aac8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -820,11 +820,18 @@
 		<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-	<RuleGroup name="" groupRelation="or">
-		<PipeEvent onmatch="include">
-			<!--NOTE: Using incide with no rules means nothing in this section will be logged-->
-		</PipeEvent>
-	</RuleGroup>
+		<RuleGroup name="" groupRelation="or">
+			<PipeEvent onmatch="include">
+				<PipeName condition="contains any">paexec;remcom;csexec</PipeName>
+				<PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+				<PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+				<PipeName condition="contains all">MSSE-;-server</PipeName>
+				<PipeName condition="begin with">\postex_</PipeName>
+				<PipeName condition="begin with">\postex_ssh_</PipeName>
+				<PipeName condition="begin with">\status_</PipeName>
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			</PipeEvent>
+		</RuleGroup>
 
 	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
 		<!--EVENT 19: "WmiEventFilter activity detected"-->
@@ -1156,4 +1163,4 @@
 		<!--Cannot be filtered.-->
 
 	</EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>

From 83b7a06ac483d8abfe6abe7c61c60500d4b795f3 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 28 May 2021 09:28:09 +0200
Subject: [PATCH 2/2] Added missing CS pipe and some comments

---
 sysmonconfig-export.xml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0a5aac8..93aa92e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -822,14 +822,19 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
 		<RuleGroup name="" groupRelation="or">
 			<PipeEvent onmatch="include">
+				<!-- Remote Command Execution Tools -->
 				<PipeName condition="contains any">paexec;remcom;csexec</PipeName>
+				<!-- Password or Credential Dumpers -->
 				<PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+				<!-- Malware -->
 				<PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+				<!-- Cobalt Strike Pipe Names -->
 				<PipeName condition="contains all">MSSE-;-server</PipeName>
 				<PipeName condition="begin with">\postex_</PipeName>
 				<PipeName condition="begin with">\postex_ssh_</PipeName>
 				<PipeName condition="begin with">\status_</PipeName>
-				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+				<PipeName condition="begin with">\msagent_</PipeName>
 			</PipeEvent>
 		</RuleGroup>