Detection rules › By event
Microsoft-Windows-Sysmon event 17
Sigma (17)
- ADFS Database Named Pipe Connection By Uncommon Tool
- Alternate PowerShell Hosts Pipe
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- CobaltStrike Named Pipe Patterns
- HackTool - CoercedPotato Named Pipe Creation
- HackTool - Credential Dumping Tools Named Pipe Created
- HackTool - DiagTrackEoP Default Named Pipe
- HackTool - EfsPotato Named Pipe Creation
- HackTool - Koh Default Named Pipe
- Malicious Named Pipe Created
- New PowerShell Instance Created
- PsExec Tool Execution From Suspicious Locations - PipeName
- PUA - CSExec Default Named Pipe
- PUA - PAExec Default Named Pipe
- PUA - RemCom Default Named Pipe
- WMI Event Consumer Created Named Pipe
Elastic (1)
Splunk (9)
- Trickbot Named Pipe
- Windows Anonymous Pipe Activity
- Windows App Layer Protocol Qakbot NamedPipe
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Windows PUA Named Pipe
- Windows RMM Named Pipe
- Windows Suspicious C2 Named Pipe
- Windows Suspicious Named Pipe