Techniques
Sample rules
HackTool - EfsPotato Named Pipe Creation
- source: sigma
- technicques:
- t1055
Description
Detects the pattern of a pipe name as used by the hack tool EfsPotato
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_ctx:
PipeName|contains: \CtxShare
filter_optional_default:
PipeName|startswith: \pipe\
selection:
PipeName|contains:
- \pipe\
- \pipe\srvsvc