Update suspicious_named_pipe_list.csv

mthcht · Oct 5, 2024 · 493f756 · 493f756
1 parent 498e22f
commit 493f756
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Lists/suspicious_named_pipe_list.csv b/Lists/suspicious_named_pipe_list.csv
@@ -32,7 +32,7 @@ pipe_name,metadata_description,metadata_tool,metadata_category,metadata_link,met
 \AmperageHwReqDetour,enabling Recall in Windows 11 version 24H2 on unsupported devices,AmperageKit,Collection,https://github.com/thebookisclosed/AmperageKit/blob/6e6ef23c0d61aec38f3c1f00d9db53d92b42cc1e/Amperage/Program.cs#L283,high,none,medium,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/AmperageKit.csv
 \adprinterpipe,anydesk,anydesk,RMM,https://www.hybrid-analysis.com/sample/99dcdda32ee45835489890b3bcc273116bdcf6c263e0cf6f74542ea3d56b78a1/60e21d53d4e6ff722e5617e6,low,high,medium,greyware_tool,Hunting,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/anydesk.csv
 \ssnp,APT1 pipe,APT1,Malware,https://github.com/Yara-Rules,high,N/A,high,offensive_tool,detection rule,N/A,https://github.com/mthcht/awesome-lists
-\samr,BadPotato leaks a system token handle through the MS RPN API which can be used to get NT AUTHORITY\SYSTEM access if you have the SeImpersonatePrivilege - also legit uses could be observed,BadPotato,Privilege Escalation,https://github.com/calebstewart/pwncat-badpotato/blob/29b919d7d15c86836fc6c2fda4e3be8083a31fb1/RPC/samr.cs#L120,high,medium,medium,offensive_tool,Hunting,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Earth%20Lusca%20Operations%20Tools%20.csv
+\samr,BadPotato leaks a system token handle through the MS RPN API which can be used to get NT AUTHORITY\SYSTEM access if you have the SeImpersonatePrivilege - also lots of legit uses could be observed,BadPotato,Privilege Escalation,https://github.com/calebstewart/pwncat-badpotato/blob/29b919d7d15c86836fc6c2fda4e3be8083a31fb1/RPC/samr.cs#L120,high,critical,info,offensive_tool,Hunting,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Earth%20Lusca%20Operations%20Tools%20.csv
 \Bomgar-enum_cp-*,Bomgar Beyoudtrust Remote access software - named pipe used by *:\ProgramData\bomgar-scc-*\bomgar-scc.exe,Bomgar,RMM,beyondtrustcloud.com,high,none,high,greyware_tool,Hunting,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/Bomgar.csv
 \0029482318be6784,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,critical,N/A,critical,offensive_tool,detection rule,N/A,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
 \7fd13a,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,high,medium,medium,offensive_tool,Hunting,N/A,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/