From deca40ffdc58a77456b38ac83fd59f452a09e45c Mon Sep 17 00:00:00 2001 From: mthcht Date: Sat, 5 Oct 2024 19:57:01 -0300 Subject: [PATCH] Update suspicious_named_pipe_list.csv --- Lists/suspicious_named_pipe_list.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lists/suspicious_named_pipe_list.csv b/Lists/suspicious_named_pipe_list.csv index 40c1aa06c..cbd8404d0 100644 --- a/Lists/suspicious_named_pipe_list.csv +++ b/Lists/suspicious_named_pipe_list.csv @@ -139,7 +139,7 @@ pipe_name,metadata_description,metadata_tool,metadata_category,metadata_link,met \EngineerPipe,A C# Command & Control framework,HardHatC2,C2,https://github.com/DragoQCC/HardHatC2/blob/e55b0d39345cbe7512c4f96e5a9128c305473b93/Engineer/Commands/InlineShellcode.cs#L47,critical,N/A,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/HardHatC2.csv \demon_pipe,Havoc C2 pipe name,Havoc,C2,https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/profiles/http_smb.yaotl#L67,high,none,high,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/havoc.csv \Ctx_WinStation_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,low,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv -"\LSM_API_service ",impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,low,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv +\LSM_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,low,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv \protected_storage,impacket dpapi - using the DPAPI/Vault structures to unlock Windows Secrets,impacket,Credential Access,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/examples/dpapi.py#L261,high,high,medium,offensive_tool,Hunting,pipe used by multiple projects - subject to false positives,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv \TermSrv_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,low,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv \AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*,impacketremoteshell default pipe name,impacketremoteshell,Lateral Movement,https://github.com/trustedsec/The_Shelf,critical,none,critical,offensive_tool,detection rule,N/A,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv