pipe_name,metadata_description,metadata_tool,metadata_category,metadata_link,metadata_priority,metadata_fp_risk,metadata_severity,metadata_tool_type,metadata_usage,metadata_comment,metadata_reference,metadata_regex_cortex
\RustPotato*,A Rust implementation of GodPotato - abusing SeImpersonate to gain SYSTEM privileges,RustPotato,Privilege Escalation,https://github.com/safedv/RustPotato/blob/92f9ab864183347c736ffe8e3bd01cb5ae053a85/src/context.rs#L111,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^RustPotato.*
\barnofoo\pipe\spoolss,printspoofer exploit in Shad0w,shad0w,Privilege Escalation,https://github.com/bats3c/shad0w/blob/d35b9dc74319800bbab1678aba69258532ec0200/exploits/system_printspoofer/src/exploit/exploit.c#L18,high,low,medium,offensive_tool,Hunting,,https://github.com/mthcht/awesome-lists,^barnofoo\\pipe\\spoolss$
\WF3ss22NHFsnBgfsHDF6,Gh0stGambit named pipe - A Dropper for Deploying Gh0st RAT,Gh0stGambit,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/www_esentire_com/blog_a-dropper-for-deploying-gh0st-rat/content.txt#L1170,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^WF3ss22NHFsnBgfsHDF6$
\mojo.5688.8052.1838949397870888770b,Gootloader Cobalt Strike SMB beacon configuration,Gootloader,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/thedfirreport_com/2024_02_26_seo-poisoning-to-domain-control-the-gootloader-saga-continues/content.txt#L1438,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^mojo.5688.8052.1838949397870888770b$
\WkSvcPipeMgr_JORW2e,BlackSuit ransomware configured named pipe,BlackSuit,Ransomware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/thedfirreport_com/2024_08_26_blacksuit-ransomware/content.txt#L1150,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^WkSvcPipeMgr_JORW2e$
\susrv,RawPOS Malware named pipe,RawPOS,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/sjc1-te-ftp_trendmicro_com/images_tex_pdf_RawPOS_20Technical_20Brief_pdf/content.txt#L708,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^susrv$
\WCEServicePipe,Windows Credential Editor (WCE) default named pipe,Windows Credential Editor,Credential Access,https://github.com/returnvar/wce,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WCE.csv,^WCEServicePipe$
\SigmaPotato,windows privilege escalation utility from the Potato family of exploits leveraging the SeImpersonate right to obtain SYSTEM privileges (similar to godpotato),Sigmapotato,Privilege Escalation,https://github.com/tylerdotrar/SigmaPotato/blob/ca05cf428324e69c9b3065f6041047695b3ce0d9/NativeAPI/SigmaPotatoContext.cs#L34,critical,none,critical,offensive_tool,detection rule,Pipe create event,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/SigmaPotato.csv,^SigmaPotato$
\NamedPipeMaster,a tool used to analyze and monitor named pipes,NamedPipeMaster,Exploitation,https://github.com/zeze-zeze/NamedPipeMaster/blob/c01a39af26d9bdc567f61306e5399e40a11a31f2/NamedPipeMasterBase/defines.h#L7,critical,none,critical,offensive_tool,detection rule,Pipe create event,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NamedPipeMaster.csv,^NamedPipeMaster$
\gsecdump_*,credential dumper used to obtain password hashes and LSA secrets from Windows operating systems,gsecdump,Credential Access,https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/gsecdump.csv,^gsecdump_.*
\PipeCmd_communicaton,Pipecmd chinese hacking tool default named pipe,Pipecmd,Exploitation,https://www.virustotal.com/gui/file/e469117685cd572da1f4371a093b91d771b2ced926c57cf5d960f875bc516a32,critical,none,critical,offensive_tool,detection rule,,https://github.com/Neo23x0/signature-base/blob/758d5b0ab4f443bc9ae08f7eea680409cf70ed9a/yara/thor-hacktools.yar#L3001,^PipeCmd_communicaton$
\beyondexec*,BeyondExec RAT - rexesvr.exe named pipe,BeyondExec,Malware,https://www.hybrid-analysis.com/sample/3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c?environmentId=100,critical,none,critical,offensive_tool,detection rule,,https://github.com/Neo23x0/signature-base/blob/758d5b0ab4f443bc9ae08f7eea680409cf70ed9a/yara/thor-hacktools.yar#L3645,^beyondexec.*
\Pipe name,default named pipe example for C3 named pipe configuration,C3,C2,https://github.com/WithSecureLabs/C3/blob/e1b9922d199e45e222001a3afe47757349f24e7a/Src/Common/FSecure/C3/Interfaces/Peripherals/Grunt.cpp#L265,high,medium,medium,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/C3.csv,^Pipe name$
\HighPriv,EasySystem.ps1 default pipe service usage,EasySystem,Privilege Escalation,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/PowershellScripts/EasySystem.ps1#L578,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^HighPriv$
\ElevationPipe,default named pipe from ShimMe presented at Defcon32 - Manipulating Shim and Office for Code Injection,ShimMe,Privilege Escalation,https://github.com/deepinstinct/ShimMe/blob/38fc3f922d8e4117a2256e6b9b11b726a5468244/Injected/Injected.h#L7,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/ShimMe.csv,^ElevationPipe$
\megacmdpipe_*,Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers),MEGAcmd,Data Exfiltration,https://github.com/meganz/MEGAcmd/blob/d0a1e8e2c7d70fd951ef47d2d92243a65f0bb6eb/src/megacmdcommonutils.cpp#L1529,critical,low,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MEGAcmd.csv,^megacmdpipe_.*
\hmpalert,legitimate sophos hitmanpro driver vulnerable to SYSTEM privilege escalation before version 3.8 - abused by attackers,hitmanpro,Privilege Escalation,https://raw.githubusercontent.com/mthcht/Purpleteam/main/Simulation/Windows/POC/hitmanpro/CVE-2018-3971.py,medium,high,low,greyware_tool,Hunting,false positives expected,https://github.com/mthcht/awesome-lists,^hmpalert$
\syelog,associated with Microsoft's Detours - a library used for intercepting Win32 functions - used by the offensive tool defender-control,Detours,Defense Evasion,https://github.com/pgkt04/defender-control/blob/f4bb9f3340c83e6a0ab50650697ce865e935ba37/src/detour/86/include/syelog.h#L21,low,medium,low,greyware_tool,Hunting,false positives expected - low severity,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/defender-control.csv,^syelog$
\docker_wsl,deprecated docker wsl cotainer usage,wsl,compliance,https://github.com/MicrosoftDocs/WSL/blob/b6dc675e3304e8d52b54749000575cc2da6a4c0a/WSL/tutorials/wsl-containers.md?plain=1#L148,low,high,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^docker_wsl$
\orbit-osquery-extension,Orbit is a lightweight osquery installer and autoupdater used by Fleetdm,fleetdm,RMM,https://github.com/fleetdm/fleet/blob/08bc4fe8b50e6f97195106cfbb72dd1d7f853286/orbit/pkg/osquery/osquery.go#L193,high,low,medium,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/fleetdm.csv,^orbit-osquery-extension$
\Godpotato*,windows privilege escalation utility from the Potato family of exploits leveraging the SeImpersonate right to obtain SYSTEM privileges,GodPotato,Privilege Escalation,https://github.com/BeichenDream/GodPotato,critical,none,critical,offensive_tool,detection rule,full pipe name observed: \Godpotato\pipe\epmapper,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/GodPotato.csv,^Godpotato.*
\DeadPotato*,windows privilege escalation utility from the Potato family of exploits leveraging the SeImpersonate right to obtain SYSTEM privileges,DeadPotato,Privilege Escalation,https://github.com/lypd0/DeadPotato,critical,none,critical,offensive_tool,detection rule,full pipe name observed: \DeadPotato\pipe\epmapper,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DeadPotato.csv,^DeadPotato.*
\pyc-*,Python compiled files - Benign and part of normal Python operations but could indicate malicious activity in environments where Python is uncommon,Python,Compliance,,info,high,info,greyware_tool,Hunting,could detect some stealer - still a compliance rule reserved for TH,https://github.com/mthcht/awesome-lists,^pyc-.*
\foobar,suspicious string - could be a test - often used in POC exploitation for demonstration,_,,https://github.com/mthcht/awesome-lists,high,,medium,offensive_tool,Hunting,,https://github.com/mthcht/awesome-lists,^foobar$
\pipename,suspicious string - could be a test,_,,https://github.com/mthcht/awesome-lists,high,,medium,offensive_tool,Hunting,,https://github.com/mthcht/awesome-lists,^pipename$
\piper,From High Integrity to SYSTEM with Name Pipes,_,Privilege Escalation,https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes,critical,,critical,offensive_tool,detection rule,,https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes,^piper$
\testpipe,Hunting for suspicious string,_,,https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/,high,high,medium,offensive_tool,Hunting,used by a lot of legitimate projects,https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/,^testpipe$
\$77childproc64,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77childproc64$
\$77stager,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77stager$
\$77svc32,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77svc32$
\$77svc64,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77svc64$
\$77config,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77config$
\$77childproc,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77childproc$
\$77control_redirec,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77control_redirec$
\$77control,Fileless ring 3 rootkit with installer and persistence that hides processes - files - network connections,77-rootkit,Persistence,https://github.com/bytecode77/r77-rootkit/blob/e2faaf8b095239fc6522bd3a897a9e5d1f0cd79e/%24Examples/ControlPipe.cpp#L11,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/R-T/r77-rootkit,^$77control$
\DAV RPC SERVICE,used by aeroadmin for remote control (also used by other lateral movement tools and tools like keepass and chrome),aeroadmin,RMM,https://ulm.aeroadmin.com/AeroAdmin.exe,high,high,medium,greyware_tool,Hunting,,https://ulm.aeroadmin.com/AeroAdmin.exe,^DAV RPC SERVICE$
\AmperageAIXSysRemove,enabling Recall in Windows 11 version 24H2 on unsupported devices,AmperageKit,Collection,https://github.com/thebookisclosed/AmperageKit/blob/6e6ef23c0d61aec38f3c1f00d9db53d92b42cc1e/Amperage/Program.cs#L283,high,none,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/AmperageKit.csv,^AmperageAIXSysRemove$
\AmperageHwReqDetour,enabling Recall in Windows 11 version 24H2 on unsupported devices,AmperageKit,Collection,https://github.com/thebookisclosed/AmperageKit/blob/6e6ef23c0d61aec38f3c1f00d9db53d92b42cc1e/Amperage/Program.cs#L283,high,none,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/AmperageKit.csv,^AmperageHwReqDetour$
\adprinterpipe,anydesk,anydesk,RMM,https://www.hybrid-analysis.com/sample/99dcdda32ee45835489890b3bcc273116bdcf6c263e0cf6f74542ea3d56b78a1/60e21d53d4e6ff722e5617e6,low,high,medium,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/anydesk.csv,^adprinterpipe$
\ssnp,APT1 pipe,APT1,Malware,https://github.com/Yara-Rules,high,,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^ssnp$
\samr,BadPotato leaks a system token handle through the MS RPN API which can be used to get NT AUTHORITY\SYSTEM access if you have the SeImpersonatePrivilege - also lots of legit uses could be observed,BadPotato,Privilege Escalation,https://github.com/calebstewart/pwncat-badpotato/blob/29b919d7d15c86836fc6c2fda4e3be8083a31fb1/RPC/samr.cs#L120,high,critical,info,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Earth%20Lusca%20Operations%20Tools%20.csv,^samr$
\Bomgar-enum_cp-*,Bomgar Beyoudtrust Remote access software - named pipe used by *:\ProgramData\bomgar-scc-*\bomgar-scc.exe,Bomgar,RMM,beyondtrustcloud.com,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/Bomgar.csv,^Bomgar-enum_cp-.*
\0029482318be6784,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,critical,,critical,offensive_tool,detection rule,,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,^0029482318be6784$
\7fd13a,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,high,medium,medium,offensive_tool,Hunting,,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,^7fd13a$
\uwjjqz,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,high,medium,medium,offensive_tool,Hunting,,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,^uwjjqz$
\vllyad,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,high,medium,medium,offensive_tool,Hunting,,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,^vllyad$
\wafrms,bumblebee malware,bumblebee,Malware,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,critical,,critical,offensive_tool,detection rule,,https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/,^wafrms$
\aswSP_Avar*,BYOD to kill AV/EDR,BYOVD_kill_av_edr,Defense Evasion,https://github.com/infosecn1nja/red-team-scripts/blob/main/BYOVD_kill_av_edr.c,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/BYOVD_kill_av_edr.csv,^aswSP_Avar.*
*IpHlpSvc.log*,kernel exploit Chimichurri.cpp,Chimichurri,Privilege Escalation,https://github.com/helloexp/0day/blob/29bd78f73941b39e36d38cd1653433dcf2ce588e/97-Windows%E6%8F%90%E6%9D%83/MS09-012/Chimichurri/Chimichurri.cpp#L98,critical,,critical,offensive_tool,detection rule,,https://github.com/helloexp/0day/blob/29bd78f73941b39e36d38cd1653433dcf2ce588e/97-Windows%E6%8F%90%E6%9D%83/MS09-012/Chimichurri/Chimichurri.cpp#L98,^.*IpHlpSvc.log.*
\A09C7C26ED857C36,Cinmeng Trojan,Cinmeng,Malware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Trojan/Win32/Cinmeng/Trojan_Win32_Cinmeng.yar#L21,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^A09C7C26ED857C36$
\[1428],CloudSorcerer APT backdoor module,CloudSorcerer,Malware,https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/,high,medium,medium,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^[1428]$
\WkSvcPipeMgr_*,cobaltstrike pipe names,CobaltStrike,C2,https://thedfirreport.com/2024/08/26/blacksuit-ransomware/,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^WkSvcPipeMgr_.*
\MSSE-*-server,cobaltstrike pipe names,CobaltStrike,C2,https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^MSSE-.*-server$
\hashdump,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^hashdump$
\334485,CobaltStrike Beacon Activity,CobaltStrike,C2,https://github.com/NextronSystems/APTSimulator/blob/9061d12d0474d971726c2fc08b395af1394fc74b/test-sets/cobaltstrike/cobaltstrike-simulation.bat#L46,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^334485$
\461092,CobaltStrike Beacon Activity,CobaltStrike,C2,https://github.com/outflanknl/RedELK/blob/417793d467e031bb0ba253985054bdf1486a85cb/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_22170412.log#L493,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^461092$
\66bee3,GetSystem in Meterpreter & Cobalt Strikes Beacon,CobaltStrike,C2,https://github.com/splunk/car/blob/5f74ab40c7e27accc38a5ee0fa664a68dbabc0cc/docs/analytics/CAR-2021-02-002/index.md?plain=1#L100,critical,medium,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^66bee3$
\8e8988b257e9dd2ea44ff03d44d26467b7c9ec16,CobaltStrike_CNA CVE_2020_0787 ,CobaltStrike,Privilege Escalation,https://github.com/yanghaoi/CobaltStrike_CNA/blob/7134e77c410cdfdd9c4081ed2bc12b1e3291b1aa/PrivilegeEscalation/CVE_2020_0787.cna#L14,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^8e8988b257e9dd2ea44ff03d44d26467b7c9ec16$
\demoagent_11,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^demoagent_11$
\demoagent_22,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^demoagent_22$
\DserNamePipe*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^DserNamePipe.*
\keylogger,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^keylogger$
\netview,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^netview$
\portscan,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^portscan$
\screenshot,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^screenshot$
\sshagent,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^sshagent$
\PIPEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^PIPEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.*
\bypassuac,cobaltstrike pipe names,CobaltStrike,C2,,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^bypassuac$
\f4c3*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^f4c3.*
\f53f*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^f53f.*
\fullduplex_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^fullduplex_.*
\fvxens,GetSystem in Meterpreter & Cobalt Strike Beacon,CobaltStrike,C2,https://github.com/splunk/car/blob/5f74ab40c7e27accc38a5ee0fa664a68dbabc0cc/docs/analytics/CAR-2021-02-002/index.md?plain=1#L100,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^fvxens$
\mojo.5688.8052.183894939787088877*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,medium,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^mojo.5688.8052.183894939787088877.*
\mojo.5688.8052.35780273329370473*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,medium,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^mojo.5688.8052.35780273329370473.*
\msagent_*,CobaltStrike Beacon Activity,CobaltStrike,C2,https://github.com/outflanknl/RedELK/blob/417793d467e031bb0ba253985054bdf1486a85cb/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_22170412.log#L471,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^msagent_.*
\MsFteWds*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^MsFteWds[0-9a-f]{2}.*
\msrpc_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^msrpc_.*
\mypipe-f*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^mypipe-f.*
\mypipe-h*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^mypipe-h.*
\ntsvcs*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^ntsvcs.*
\PGMessagePipe*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^PGMessagePipe.*
\postex_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/olafhartong/sysmon-modular/blob/a9ff298f6d228c181be71b213c73d111c6096f41/17_18_pipe_event/include_cobaltstrike.xml#L11,critical,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^postex_.*
\postex_ssh_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/olafhartong/sysmon-modular/blob/a9ff298f6d228c181be71b213c73d111c6096f41/17_18_pipe_event/include_cobaltstrike.xml#L11,critical,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^postex_ssh_.*
\rpc_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,low,critical,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^rpc_.*
\scerpc*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^scerpc.*
\SearchTextHarvester*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^SearchTextHarvester.*
\servicepipe.zo9keez4weechei8johR.0521cc13,cobaltstrike pipe names,CobaltStrike,C2,https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^servicepipe.zo9keez4weechei8johR.0521cc13$
\spoolss*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48 - https://github.com/chvancooten/OSEP-Code-Snippets/blob/43b929eb8579c0ea85e3a6f86d6e97136af899af/PrintSpoofer.NET/Program.cs#L100,critical,high,info,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^spoolss.*
\win\msrpc_*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^win\\msrpc_.*
\win_svc*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^win_svc.*
\windows.update.manager*,cobaltstrike pipe names,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^windows.update.manager.*
\wkssvc*,SMB Protocol,CobaltStrike,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml#L48,critical,high,info,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^wkssvc.*
\comnap,cobra - The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine,cobra,Malware,https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra,high,,high,offensive_tool,detection rule,,https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra,^comnap$
\sdlrpc,cobra - The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine,cobra,Malware,https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra,high,,high,offensive_tool,Hunting,,https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra,^sdlrpc$
\coerced*,CoercedPotato From Patate (LOCAL/NETWORK SERVICE) to SYSTEM,CoercedPotato,Privilege Escalation,https://github.com/Prepouce/CoercedPotato,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CoercedPotato.csv,^coerced.*
\gruntsvc*,covenant - SMB/Windows Admin Shares,covenant,Lateral Movement,https://github.com/olafhartong/sysmon-modular/blob/a9ff298f6d228c181be71b213c73d111c6096f41/17_18_pipe_event/include_covenant.xml#L5C112-L5C121,high,,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/covenant.csv,^gruntsvc.*
\svcctl,Service Control Manager Remote Protocol used by many lateral movement tools,CrackMapExec,Lateral Movement,https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/protocols/smb.py#L635,critical,high,info,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/crackmapexec.csv,^svcctl$
\CHECKONE,Clop Ransomware Cryptinject,CryptInject,Ransomware,https://www.joesandbox.com/analysis/883539/0/html,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^CHECKONE$
\cuckoo,Attempts to detect Cuckoo Sandbox through the presence of \cuckoo,cuckoo,Defense Evasion,https://github.com/cuckoosandbox/community/blob/14864b9fa2ba2576ca11887caf37616eaec6d941/modules/signatures/windows/antisandbox_cuckoo_files.py#L32,high,,high,greyware_tool,detection rule,,https://github.com/cuckoosandbox/community/blob/14864b9fa2ba2576ca11887caf37616eaec6d941/modules/signatures/windows/antisandbox_cuckoo_files.py#L32,^cuckoo$
\innocent,LPE exploit for CVE-2023-36802,CVE-2023-21768,Privilege Escalation,https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,critical,,critical,offensive_tool,detection rule,,https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,^innocent$
\ioring_in,CVE-2023-21768 exploits,CVE-2023-21768,Privilege Escalation,"https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,metasploit-framework\external\source\exploits\CVE-2023-21768\ioring.c,vipermsf\external\source\exploits\CVE-2023-21768\ioring.c",high,,high,offensive_tool,detection rule,,"https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,metasploit-framework\external\source\exploits\CVE-2023-21768\ioring.c,vipermsf\external\source\exploits\CVE-2023-21768\ioring.c",^ioring_in$
\ioring_out,CVE-2023-21768 exploits,CVE-2023-21768,Privilege Escalation,"https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,metasploit-framework\external\source\exploits\CVE-2023-21768\ioring.c,vipermsf\external\source\exploits\CVE-2023-21768\ioring.c",high,,high,offensive_tool,detection rule,,"https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802/blob/1b0d39cdd35cfd6dd6f44063122fde7fdc3b9982/Windows_MSKSSRV_LPE_CVE-2023-36802/exploit.c#L66C15-L66C36,metasploit-framework\external\source\exploits\CVE-2023-21768\ioring.c,vipermsf\external\source\exploits\CVE-2023-21768\ioring.c",^ioring_out$
*CyberGhost*,CyberGhost VPN Service,CyberGhost VPN,VPN,https://www.cyberghostvpn.com/,medium,none,medium,greyware_tool,Hunting,named pipe observed: \W11LabCyberGhost8Service + \W11LabCyberGhost8ServiceUpdateCallbacks + \W11LabCyberGhost8ServiceVPN,https://www.cyberghostvpn.com/,^.*CyberGhost.*
\TCRmtShellAgentModule_*,Dameware Remote Everywhere Agent (\Dameware Remote Everywhere Agent\BASupSrvc.exe + \BASupRegEditHlpr.exe + \TCRmtShellAgent.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^TCRmtShellAgentModule_.*
\MSPARegEditHelper_*,Dameware Remote Everywhere Agent (\Dameware Remote Everywhere Agent\BASupSrvc.exe + \BASupRegEditHlpr.exe + \TCRmtShellAgent.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^MSPARegEditHelper_.*
\MSPxTSHlpSrv_*,Dameware Remote Everywhere Agent (\Dameware Remote Everywhere Agent\BASupSrvc.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^MSPxTSHlpSrv_.*
\TCDirectChat_*,Dameware Remote Everywhere Agent (\Dameware Remote Everywhere Agent\BASupSrvc.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^TCDirectChat_.*
\TCRmtShellAgentModule_*,Dameware Remote Everywhere Agent (\Dameware Remote Everywhere Agent\BASupSrvc.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^TCRmtShellAgentModule_.*
\MSPAClipboardHelper_*,Dameware (BASupClpHlp.exe + BASEClient.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^MSPAClipboardHelper_.*
\clipboardHelperProgressBar_*,Dameware (BASupClpHlp.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^clipboardHelperProgressBar_.*
\TCRmtShellViewerModule_*,Dameware (TCRmtShellViewer.exe + BASEClient.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^TCRmtShellViewerModule_.*
\dre_video_uploader,Dameware (\tkcuploader.exe + \BAConsoleApp.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^dre_video_uploader$
\comnap,Turla malware pipe name,Turla,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/vxunderground_APTs_2015/2015/2015.01.20%20-%20Project%20Cobra/Paper/Project%20Cobra/content.txt#L209,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^comnap$
\iehelper,Turla malware pipe name,Turla,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/web_archive_org/web_20170718174931_https___www_melani_admin_ch_dam_melani_de_dokumente_2016_technical_20report_20ruag_pdf_download_pdf_Report_Ruag-Espionage-Case_pdf/content.txt#L618,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^iehelper$
\sdlrpc,Turla malware pipe name,Turla,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/vxunderground_APTs_2015/2015/2015.01.20%20-%20Project%20Cobra/Paper/Project%20Cobra/content.txt#L212,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^sdlrpc$
\userpipe,Turla malware pipe name,Turla,Malware,https://github.com/mthcht/ThreatIntel-Reports/blob/2cd10a812b1438cdf9e80ca61743d4d84901eeac/Intel%20Reports/web_archive_org/web_20170718174931_https___www_melani_admin_ch_dam_melani_de_dokumente_2016_technical_20report_20ruag_pdf_download_pdf_Report_Ruag-Espionage-Case_pdf/content.txt#L617,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^userpipe$
\dreconsole_main_instance,Dameware Remote Everywhere Agent (BAConsoleApp.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^dreconsole_main_instance$
\tcpreload_*,Dameware Remote Everywhere Agent (BAConsoleApp.exe + BASEClient.exe),Dameware,RMM,https://www.solarwinds.com/dameware-remote-everywhere,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/Dameware.csv,^tcpreload_.*
\win-sux-no-async-anon-pipe-*-*,dns2tcp,dns2tcp,Defense Evasion,https://github.com/alex-sector/dns2tcp/blob/52935452ba771b96e96f622127e70ec9ef01c0b4/client/command.c#L149,high,,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/dns2tcp.csv,^win-sux-no-async-anon-pipe-.*-.*
\docker*,docker usage,docker,Compliance,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^docker.*
\DogCraftX,Dograft Backdoor,Dograft,Malware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Backdoor/Win32/Dograft/Backdoor_Win32_Dograft_A.yar#L10,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^DogCraftX$
\dbxsvc,Dropbox usage,Dropbox,Data Exfiltration,https://github.com/mthcht/awesome-lists,high,low,medium,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^dbxsvc$
\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}$
\{AB6172ED-8105-4996-9D2A-597B5F827501},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{AB6172ED-8105-4996-9D2A-597B5F827501}$
\{0710880F-3A55-4A2D-AA67-1123384FD859},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{0710880F-3A55-4A2D-AA67-1123384FD859}$
\{6C51A4DB-E3DE4FEB-86A4-32F7F8E73B99},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{6C51A4DB-E3DE4FEB-86A4-32F7F8E73B99}$
\{7F9BCFC0-B36B-45EC-B377-D88597BE5D78},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}$
\{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A},DLL backdoor that is used for network infection - accepts commands via this named pipe,DUQU 2.0,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,high,low,medium,offensive_tool,detection rule,N.A,https://github.com/mthcht/awesome-lists,^{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}$
\3obdw5e5w4,Dyre infostealer Dyzap,Dyzap,Malware,https://community.f5.com/kb/technicalarticles/dyre---no-rest-for-the-wicked/278457,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^3obdw5e5w4$
\g2fabg5713,Dyre infostealer Dyzap,Dyzap,Malware,https://baesystemsai.blogspot.com/2015/11/peering-into-dyres-traffic.html,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^g2fabg5713$
\RangisPipe6,Dyre infostealer Dyzap,Dyzap,Malware,https://stopmalvertising.com/malware-reports/introduction-to-dyreza-the-banker-that-bypasses-ssl.html,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^RangisPipe6$
\mvnwihe2w,Dyre infostealer Dyzap,Dyzap,Malware,https://docs.broadcom.com/doc/dyre-emerging-threat,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^mvnwihe2w$
\2f1e5f214354r,Dyre infostealer Dyzap,Dyzap,Malware,https://docs.broadcom.com/doc/dyre-emerging-threat,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^2f1e5f214354r$
\EasySystem,Quick and dirty System (Power)Shell using NamedPipe impersonation - also used by Cn33liz/P0wnedShell,EasySystem,Defense Evasion,https://github.com/Cn33liz/EasySystem/blob/92662bd389c733e73d7dd6b7107efa575b9ce790/EasySystem/EasySystem.c#L85,high,,high,offensive_tool,detection rule,,https://github.com/Cn33liz/EasySystem/blob/92662bd389c733e73d7dd6b7107efa575b9ce790/EasySystem/EasySystem.c#L85,^EasySystem$
\warpzone8,elevationstation elevate to SYSTEM - Metasploit and PSEXEC getsystem alternative,elevationstation,Privilege Escalation,https://github.com/g3tsyst3m/elevationstation/blob/fe3a2c64eaaf2d8e2148f18235054c0e1bf90357/elevationstation/elevationstation.cpp#L55,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/elevationstation.csv,^warpzone8$
\pcheap_reuse,EquationGroup Tool,EQGPR,Exploitation,https://github.com/Yara-Rules/rules/blob/0f93570194a80d2f2032869055808b0ddcdfb360/malware/APT_eqgrp_apr17.yar#L2358,high,,high,offensive_tool,detection rule,,https://github.com/Yara-Rules/rules/blob/0f93570194a80d2f2032869055808b0ddcdfb360/malware/APT_eqgrp_apr17.yar#L2358,^pcheap_reuse$
\_test_pipe-*,EternalHushFramework,EternalHushFramework,C2,https://github.com/APT64/EternalHushFramework/blob/b2a70f0d958618d13da0157161d55b1b5194c9a8/prebuilt/CoreLibs/Lib/test/libregrtest/win_utils.py#L45,critical,medium,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/EternalHushFramework.csv,^_test_pipe-.*
\typeperf_output_*,EternalHushFramework,EternalHushFramework,C2,https://github.com/APT64/EternalHushFramework/blob/b2a70f0d958618d13da0157161d55b1b5194c9a8/prebuilt/CoreLibs/Lib/test/libregrtest/win_utils.py#L45,critical,medium,medium,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/EternalHushFramework.csv,^typeperf_output_.*
\kangaroo*,used by EventCleaner,EventCleaner,Defense Evasion,https://github.com/QAX-A-Team/EventCleaner/blob/56ab12fe8ba3b6484e1a6f04bf71251f4c037394/EventCleaner/EventCleaner.cpp#L370,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/EventCleaner.csv,^kangaroo.*
\EvtMuteHook_Rule_Pipe,This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging,EvtMute,Defense Evasion,https://github.com/bats3c/EvtMute/blob/master/README.md,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/EvtMute.csv,^EvtMuteHook_Rule_Pipe$
\cachedumppipe,A Tool For Mass Password Auditing of Windows Systems,fgdump,Credential Access,https://github.com/ihamburglar/fgdump/blob/c883704e5e34d7aa8fce6fb0a0777df3ebb693ac/cachedump/cachedump.h#L7,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^cachedumppipe$
\UxdEvent_API_Service,Filecoder Ransomware,Filecoder,Ransomware,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/ransom.win32.crytem.a,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^UxdEvent_API_Service$
\fuego-control,fuegoshell pipe name,fuegoshell,Lateral Movement,https://github.com/v1k1ngfr/fuegoshell,critical,none,critical,offensive_tool,detection rule,https://github.com/v1k1ngfr/fuegoshell/blob/af3e24da722fd3a654e841e98644e84ff406ae6a/fuegoshell/generate_reverse_fuegoshell.ps1#L2,https://github.com/mthcht/awesome-lists,^fuego-control$
\fuego-data,fuegoshell pipe name,fuegoshell,Lateral Movement,https://github.com/v1k1ngfr/fuegoshell,critical,none,critical,offensive_tool,detection rule,https://github.com/v1k1ngfr/fuegoshell/blob/af3e24da722fd3a654e841e98644e84ff406ae6a/fuegoshell/generate_reverse_fuegoshell.ps1#L1,https://github.com/mthcht/awesome-lists,^fuego-data$
\fuegoshell,fuegoshell pipe name,fuegoshell,Lateral Movement,https://github.com/v1k1ngfr/fuegoshell,critical,none,critical,offensive_tool,detection rule,https://github.com/v1k1ngfr/fuegoshell/blob/af3e24da722fd3a654e841e98644e84ff406ae6a/fuegoshell/generate_bind_fuegoshell.ps1#L4,https://github.com/mthcht/awesome-lists,^fuegoshell$
\turum,Genasom Ransomware,Genasom,Ransomware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Ransom/Win32/Genasom/Ransom_Win32_Genasom_SD_MTB.yar#L9,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^turum$
\GhidraGDB,Ghidra is a software reverse engineering (SRE) framework,Ghidra,Reverse Engineering,https://github.com/NationalSecurityAgency/ghidra/blob/fae64a82c0142b0cf29e1b59dd775fa516bb1044/Ghidra/Framework/Pty/src/test/java/ghidra/pty/windows/NamedPipeTest.java#L46,medium,,medium,greyware_tool,Hunting,,https://github.com/NationalSecurityAgency/ghidra/blob/fae64a82c0142b0cf29e1b59dd775fa516bb1044/Ghidra/Framework/Pty/src/test/java/ghidra/pty/windows/NamedPipeTest.java#L46,^GhidraGDB$
\testascxzc,Windows Backdoor Govrat,Govrat,Malware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Backdoor/Win32/Govrat/Backdoor_Win32_Govrat_A.yar#L25,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^testascxzc$
\EngineerPipe,A C# Command & Control framework,HardHatC2,C2,https://github.com/DragoQCC/HardHatC2/blob/e55b0d39345cbe7512c4f96e5a9128c305473b93/Engineer/Commands/InlineShellcode.cs#L47,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/HardHatC2.csv,^EngineerPipe$
\demon_pipe,Havoc C2 pipe name,Havoc,C2,https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/profiles/http_smb.yaotl#L67,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/E-H/havoc.csv,^demon_pipe$
\Ctx_WinStation_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,medium,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv,^Ctx_WinStation_API_service$
\LSM_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,high,low,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv,^LSM_API_service$
\protected_storage,impacket dpapi - using the DPAPI/Vault structures to unlock Windows Secrets,impacket,Credential Access,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/examples/dpapi.py#L261,high,high,medium,offensive_tool,Hunting,pipe used by multiple projects - subject to false positives,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv,^protected_storage$
\TermSrv_API_service,impacket dcerpc,impacket,Exploitation,https://github.com/fortra/impacket/blob/2de29184dc93247829099fcbc52ff256817c6a94/impacket/dcerpc/v5/tsts.py#L2031,critical,medium,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv,^TermSrv_API_service$
\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*,impacketremoteshell default pipe name,impacketremoteshell,Lateral Movement,https://github.com/trustedsec/The_Shelf,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv,^AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.*
\RemoteMaint,impacketremoteshell default pipe name,impacketremoteshell,Lateral Movement,https://github.com/trustedsec/The_Shelf,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv,^RemoteMaint$
\forRealLegit,InlineExecute-Assembly,InlineExecute-Assembly,Exploitation,https://github.com/anthemtotheego/InlineExecute-Assembly/blob/402637229d1c9abab221119601143732eb867e26/README.md?plain=1#L50,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^forRealLegit$
\toteslegit,InlineExecute-Assembly,InlineExecute-Assembly,Exploitation,https://github.com/anthemtotheego/InlineExecute-Assembly/blob/402637229d1c9abab221119601143732eb867e26/inlineExecuteAssembly/inlineExecute-Assembly.cna#L18,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^toteslegit$
\ExploitPipe,InstallerFileTakeOver exploit POC CVE-2021-41379 patch bypass,InstallerFileTakeOver,Privilege Escalation,https://github.com/Al1ex/WindowsElevation/blob/e8fa2760f0ea29d1cdc759c623021d5ab7b715e2/InstallerFileTakeOver/InstallerFileTakeOver/InstallerFileTakeOver.cpp#L354,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^ExploitPipe$
\Something,Invoke-SMBRemoting,Invoke-SMBRemoting,Lateral Movement,https://github.com/Leo4j/Amnesiac/blob/216ba3a280bf49ea3f5b1afab80f843bbde3548d/Tools/Invoke-SMBRemoting.ps1#L32,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/Invoke-SMBRemoting.csv,^Something$
\FASTDOS,Iron Tiger Malware - PlugX DosEmulator,Iron Tiger,Malware,https://github.com/Neo23x0/signature-base/blob/857ac87b4b9fb5d71cdd5935766b330f71845a75/yara/apt_irontiger_trendmicro.yar#L169,critical,,critical,offensive_tool,detection rule,,https://github.com/Neo23x0/signature-base/blob/857ac87b4b9fb5d71cdd5935766b330f71845a75/yara/apt_irontiger_trendmicro.yar#L169,^FASTDOS$
\kekeo_tsssp_endpoint,kekeo stealing credentials,kekeo,Credential Access,https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass.md,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/kekeo.csv,^kekeo_tsssp_endpoint$
\asio-A0812896-741A-484D-AF23-BE51BF620E22-*,Kismet is an open source sniffer - WIDS - wardriver and packet capture tool for Wi-Fi,Kismet,Exploitation,https://github.com/kismetwireless/kismet/blob/929924f71019121345fc2b69fb30b6507c90023d/boost/asio/impl/connect_pipe.ipp#L66,high,medium,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/kismet.csv,^asio-A0812896-741A-484D-AF23-BE51BF620E22-.*
\imposecost,Koh Token Stealer,Koh Token Stealer,Credential Access,https://github.com/GhostPack/Koh/blob/2e60ce274dc4f0bdce265174526f6d439f6a1414/Clients/BOF/KohClient.c#L12,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^imposecost$
\imposingcost,Koh Token Stealer,Koh Token Stealer,Credential Access,https://github.com/GhostPack/Koh/blob/2e60ce274dc4f0bdce265174526f6d439f6a1414/Clients/BOF/KohClient.c#L12,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/cobaltstrike.csv,^imposingcost$
\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7,LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript,LiquidSnake,Lateral Movement,https://github.com/RiccardoAncarani/LiquidSnake/blob/d2175346393d2199efe99b362301ea86ef3ce7c6/CSharpNamedPipeLoader/CSharpNamedPipeLoader/Program.cs#L410,critical,,critical,offensive_tool,detection rule,,https://github.com/RiccardoAncarani/LiquidSnake/blob/d2175346393d2199efe99b362301ea86ef3ce7c6/CSharpNamedPipeLoader/CSharpNamedPipeLoader/Program.cs#L410,^6e7645c4-32c5-4fe3-aabf-e94c2f4370e7$
\LogMeInRescue_rarc_r_*,LogMeIn  default RMM usage,LogMeIn,RMM,https://www.logmeinrescue.com/,high,none,high,greyware_tool,detection rule,used by LMI_RescueRC.exe and LMI_Rescue_srv.exe,,^LogMeInRescue_rarc_r_.*
\LogMeInRescue_rarc_w_*,LogMeIn  default RMM usage,LogMeIn,RMM,https://www.logmeinrescue.com/,high,none,high,greyware_tool,detection rule,used by LMI_RescueRC.exe and LMI_Rescue_srv.exe,,^LogMeInRescue_rarc_w_.*
\LogMeInRescue_ipc*,LogMeIn  default RMM usage,LogMeIn,RMM,https://www.logmeinrescue.com/,high,none,high,greyware_tool,detection rule,used by LMI_RescueRC.exe LMI_Rescue.exe and LMI_Rescue_srv.exe ,,^LogMeInRescue_ipc.*
\malDBG,malware analysis lokibot,lokibot,Malware,https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/26ce0dd827b17d5db25abee125dd890e64c3f806/Lokibot_Analyzing/Lokibot_analyzing.md?plain=1#L37,medium,,high,offensive_tool,detection rule,,https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/26ce0dd827b17d5db25abee125dd890e64c3f806/Lokibot_Analyzing/Lokibot_analyzing.md?plain=1#L37,^malDBG$
\lsarelayx,lsarelayx usage,lsarelayx,Credential Access,https://github.com/CCob/lsarelayx/blob/b45e4565c5688a395c54b92654d68b2514af39eb/plugin/lsarelayx.cpp#L105,high,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/lsarelayx.csv,^lsarelayx$
\MalDevEDR,EDR/AV Simulation for Malware Development,MalDevEDR,Exploitation,https://github.com/redt1de/MaldevEDR/blob/1b48281149e717f1bab4d78c8412fb333a7c83bf/config.yaml#L19,critical,,critical,offensive_tool,detection rule,,https://github.com/redt1de/MaldevEDR/blob/1b48281149e717f1bab4d78c8412fb333a7c83bf/config.yaml#L19,^MalDevEDR$
\MEGAprivacyMEGAsync,MEGAsync synchro backup,MEGAsync,RMM,https://mega.io/en/desktop,high,none,high,greyware_tool,Hunting,MEGAsync.exe behavior,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MEGAsync.csv,^MEGAprivacyMEGAsync$
\MerlinPipe,Merlin is a post-exploit Command & Control,Merlin,C2,https://github.com/Ne0nd0g/merlin-agent/blob/653ac5558e4f8a0893b2285a158a3b26735c6c79/clients/smb/smb_windows.go#L148,critical,none,critical,offensive_tool,Detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/merlin.csv,^MerlinPipe$
\merlin,Merlin is a post-exploit Command & Control,Merlin,C2,https://github.com/Ne0nd0g/merlin-agent/blob/653ac5558e4f8a0893b2285a158a3b26735c6c79/clients/smb/smb_windows.go#L148,critical,none,critical,offensive_tool,Detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/merlin.csv,^merlin$
\localcation,Worm Mernzic,Mernzic,Malware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Worm/Win32/Mernzic/Worm_Win32_Mernzic_A.yar#L9,critical,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^localcation$
\mesh-*,meshagent (meshcentral) default named pipe pattern,MeshAgent,RMM,https://github.com/Ylianst/MeshAgent/blob/17a37ea4a698a84b21cab6a85bdb9d736b929d57/modules/process-manager.js#L264C36-L264C41,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/meshcentral.csv,^mesh-.*
\acsipc_server,Agnitum Outpost Internet Security Local Privilege Escalation,metasploit,Privilege Escalation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/modules/exploits/windows/local/agnitum_outpost_acs.rb#L118,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^acsipc_server$
\IPEFSYSPCPIPE,iPass Mobile Client Service Privilege Escalation,metasploit,Privilege Escalation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/modules/exploits/windows/local/ipass_launch_app.rb#L81,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^IPEFSYSPCPIPE$
\msf-pipe,Metasploit bind named pipe,metasploit,Exploitation,https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/msf/core/handler/bind_named_pipe.rb#L207,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^msf-pipe$
\orcljsexorcl,Oracle Job Scheduler Named Pipe Command Execution,metasploit,Exploitation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/modules/exploits/windows/oracle/extjob.rb#L101,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^orcljsexorcl$
\OVSystem*,HP OpenView Network Node Manager execvp_nc Buffer Overflow,metasploit,Exploitation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb#L95C29-L95C43,medium,,medium,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^OVSystem.*
\SUPipeServer,Lenovo System Update Privilege Escalation,metasploit,Privilege Escalation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/modules/exploits/windows/local/lenovo_systemupdate.rb#L179,critical,high,low,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^SUPipeServer$
\WindscribeService*,The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \\.\pipe\WindscribeService allowing execution of programs with elevated privileges,metasploit,Privilege Escalation,https://github.com/rapid7/metasploit-framework/blob/ec5648f6c50fc0af779f3b2a3ac7afa9fdca9344/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md?plain=1#L63,high,low,high,offensive_tool,detection rule,false positive: legitimate usage of Windscribe VPN client application ,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^WindscribeService.*
\5e120a,meterpreter getsystem,meterpreter,C2,https://github.com/SigmaHQ/sigma/blob/7364ce00b1444802caaebefdccb6d8f6a92f1112/unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml#L23,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv,^5e120a$
*mimikatz*,kekeo stealing credentials,mimikatz,Credential Access,https://github.com/gentilkiwi/kekeo/blob/d3ee2ae2fdeb5581fe2be1d53838f66729c3de16/kekeo/modules/kuhl_m_tsssp.c#L29,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/mimikatz.csv,^.*mimikatz.*
\MyNamePipe,used by the offensive tool mortar,mortar,Defense Evasion,https://github.com/0xsp-SRD/mortar/blob/ac6004a00cfc90002e88aa2f72e931440e8dbff6/Lib/core.pas#L70,high,high,medium,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/mortar.csv,^MyNamePipe$
\moj_ML_ntsvcs,used by the offensive tool mortar,mortar,Defense Evasion,https://github.com/0xsp-SRD/mortar/blob/ac6004a00cfc90002e88aa2f72e931440e8dbff6/DLL/agressor.lpr#L91,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/mortar.csv,^moj_ML_ntsvcs$
\HighPriv,"taken from ""Some usefull Scripts and Executables for Pentest & Forensics""",NamedPipeSystem,Privilege Escalation,https://github.com/cbwang505/Creds/blob/475676e8f07cd7c4ef74084bf264ec0ec0d0f1d4/Csharp/NamedPipeSystem.cs#L28,critical,,critical,offensive_tool,detection rule,,https://github.com/cbwang505/Creds/blob/475676e8f07cd7c4ef74084bf264ec0ec0d0f1d4/Csharp/NamedPipeSystem.cs#L28,^HighPriv$
\napSolar,Old Trojan Napolar,Napolar,Malware,https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^napSolar$
\npx86_Services,Old Trojan Napolar,Napolar,Malware,https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^npx86_Services$
\ncat-*,ncat usage,ncat,C2,https://github.com/nmap/nmap/blob/ff92f5bae941058fae4782167fc7cb49b29c9440/ncat/ncat_exec_win.c#L209,critical,low,critical,greyware_tool,detection rule,,https://github.com/nmap/nmap/blob/ff92f5bae941058fae4782167fc7cb49b29c9440/ncat/ncat_exec_win.c#L209,^ncat-.*
\mojo.7304.10032.2584273091328543665,Nemesis sample file named pipe,Nemesis,Exploitation,https://github.com/SpecterOps/Nemesis/blob/ee5ab5b330935ccd5809ff6f91c0338a28785df4/sample_files/structured/named_pipes.json#L4,high,low,high,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/nemesis.csv,^mojo.7304.10032.2584273091328543665$
\FssagentRpc,NetExec,NetExec,Lateral Movement,https://github.com/Pennyw0rth/NetExec/blob/66e6c95f0d4cabe4acabdfadaa69f8eb38bb056f/nxc/modules/shadowcoerce.py#L207,critical,medium,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv,^FssagentRpc$
\netdfs,NetExec,NetExec,Lateral Movement,https://github.com/Pennyw0rth/NetExec/blob/66e6c95f0d4cabe4acabdfadaa69f8eb38bb056f/nxc/modules/dfscoerce.py#L126,critical,low,critical,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv,^netdfs$
\client32_VistaUIPipe2,NetSupport Manager\client32.exe RMM usage,NetSupport,RMM,netsupportsoftware.com,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetSupport.csv,^client32_VistaUIPipe2$
\client32_VistaPipe2,NetSupport Manager\client32.exe RMM usage,NetSupport,RMM,netsupportsoftware.com,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetSupport.csv,^client32_VistaPipe2$
\xai,priv esc for SeImpersonatePrivilege,NP_impersonate,Privilege Escalation,https://github.com/sailay1996/NP_impersonate/blob/06bc253d249de7f4b71ede6e223ec1bda079899a/np_createProcess.c#L55,high,,critical,offensive_tool,detection rule,,https://github.com/sailay1996/NP_impersonate/blob/06bc253d249de7f4b71ede6e223ec1bda079899a/np_createProcess.c#L55,^xai$
\openssh-ssh-agent,openssh usage,OpenSSH,Lateral Movement,https://github.com/libssh2/libssh2/blob/fc00bdd7f195fc6511d18d11cad2801b56c5549e/src/agent_win.c#L124,info,,info,greyware_tool,Hunting,,https://github.com/libssh2/libssh2/blob/fc00bdd7f195fc6511d18d11cad2801b56c5549e/src/agent_win.c#L124,^openssh-ssh-agent$
\paexec*,PSEXEC like,PAEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv,^paexec.*
\PAExecErr*,Remote execution like PsExec,PAEXEC,Lateral Movement,https://github.com/poweradminllc/PAExec/blob/954f83e789223d2b5be59575ce39f6d721b5020c/ConsoleRedir.cpp#L68,critical,,critical,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv,^PAExecErr.*
\PAExecIn*,Remote execution like PsExec,PAEXEC,Lateral Movement,https://github.com/poweradminllc/PAExec/blob/954f83e789223d2b5be59575ce39f6d721b5020c/ConsoleRedir.cpp#L68,critical,,critical,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv,^PAExecIn.*
\PAExecOut*,Remote execution like PsExec,PAEXEC,Lateral Movement,https://github.com/poweradminllc/PAExec/blob/954f83e789223d2b5be59575ce39f6d721b5020c/ConsoleRedir.cpp#L68,critical,,critical,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv,^PAExecOut.*
\petit\pipe\srvsvc,PetitPotato.exe default pipe,PetitPotato,Privilege Escalation,https://github.com/wh0amitz/PetitPotato/blob/047aebdc7a05fab2c08eff2bbac984f59fc218cf/PetitPotato/PetitPotato.cpp#L138,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PetitPotato.csv,^petit\\pipe\\srvsvc$
\GetSys,Windows named pipes exploitation example in  e-zine written by and for hackers,phrack,Exploitation,https://github.com/rootkiter/phrack/blob/5c3ef0663f09d124ea7601dc793f13b9b730295b/phrack61/3.txt#L295,critical,,critical,offensive_tool,detection rule,,https://github.com/rootkiter/phrack/blob/5c3ef0663f09d124ea7601dc793f13b9b730295b/phrack61/3.txt#L295,^GetSys$
\u0hxc1q44vhhbj5oo4ohjieo8uh7ufxe,PIPEDANCE malware,PIPEDANCE,Malware,https://www.elastic.co/security-labs/twice-around-the-dance-floor-with-pipedance,critical,,critical,offensive_tool,detection rule,,https://www.elastic.co/security-labs/twice-around-the-dance-floor-with-pipedance,^u0hxc1q44vhhbj5oo4ohjieo8uh7ufxe$
\RUN_AT_SESSION*,Backdoor Sogu / PlugX,PlugX,Malware,https://github.com/nasbench/DefenderYara/blob/e17e256e1c6517972dafe56f4ad7590d99321f3d/Backdoor/Win32/Plugx/Backdoor_Win32_Plugx_L_dha.yar#L11,critical,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^RUN_AT_SESSION.*
\RUN_AS_USER*,PlugX malware,PlugX,Malware,https://silascutler.com/2020/11/03/Fresh-PlugX-October-2019/,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^RUN_AS_USER.*
\mantvydas-first-pipe,privilege escalation poc,POC,Privilege Escalation,https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation.md,critical,,critical,offensive_tool,detection rule,,https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation.md,^mantvydas-first-pipe$
\jaccdpqnvbrrxlaf,"poshc2	pipe name from poshc2 usage",PoshC2,C2,https://github.com/nettitude/PoshC2,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/poshc2.csv,^jaccdpqnvbrrxlaf$
\Posh*,"poshc2	pipe name from poshc2 usage",PoshC2,C2,https://github.com/nettitude/PoshC2/blob/517903431ab43e6d714b24b0752ba111f5d4c2f1/resources/modules/NamedPipeProxy.ps1#L4,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/poshc2.csv,^Posh.*
\TestSVC,GetSystem in Empire & PoshC2,PoshC2,C2,https://github.com/splunk/car/blob/5f74ab40c7e27accc38a5ee0fa664a68dbabc0cc/docs/analytics/CAR-2021-02-002/index.md?plain=1#L107C1-L107C29,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/poshc2.csv,^TestSVC$
*Potato*,Privilege escalation tools suspicious name,Potato,Privilege Escalation,https://github.com/mthcht/awesome-lists,high,,critical,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/localpotato.csv,^.*Potato.*
*pwned*,Potato to get SYSTEM via SeImpersonate privileges,Potato,Privilege Escalation,https://github.com/S3cur3Th1sSh1t/MultiPotato/blob/main/README.md,critical,,critical,offensive_tool,detection rule,,https://github.com/S3cur3Th1sSh1t/MultiPotato/blob/main/README.md,^.*pwned.*
\PSHost.*.powershell*,powershell usage,POWERSHELL,Lateral Movement,https://github.com/mthcht/awesome-lists,medium,high,low,greyware_tool,Hunting,administrative tool - used by administrators,https://github.com/mthcht/awesome-lists,^PSHost..*.powershell.*
\PowerShellISEPipeName*,powershell ISE usage,Powershell ISE,Lateral Movement,https://github.com/mthcht/awesome-lists,medium,high,low,greyware_tool,Hunting,administrative tool - used by administrators,https://github.com/mthcht/awesome-lists,^PowerShellISEPipeName.*
\sqsvc,Powersploit,Powersploit,Exploitation,https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet/blob/702daf94e384589cdc81fe62f1337b390ce06488/Z%20-%20Tool%20Box/PowerSploit-Dev/Exfiltration/LogonUser/LogonUser/logon/logon.cpp#L22,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/powersploit.csv,^sqsvc$
\PrivFuPipe*,Privilege escalation PoCs,PrivFu,Privilege Escalation,https://github.com/daem0nc0re/PrivFu/blob/900343121cc043b76aa5c74f526d3feda6e197c4/ArtsOfGetSystem/PrintSpoofer/Library/Globals.cs#L7,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PrivFu.csv,^PrivFuPipe.*
*-stderr,PSEXEC like,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^.*-stderr$
*-stdin,PSEXEC like,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^.*-stdin$
*-stdout,PSEXEC like,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^.*-stdout$
\csexec*,PSEXEC like,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^csexec.*
\PSEXEC*,PSEXEC utilisation,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^PSEXEC.*
\PSEXESVC*,PSEXEC utilisation,PSEXEC,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv,^PSEXESVC.*
\putty-connshare*,Putty connection established,Putty,Data Exfiltration,https://github.com/mthcht/awesome-lists,high,low,medium,greyware_tool,Hunting,administrative tool - can be used by administrators,https://github.com/mthcht/awesome-lists,^putty-connshare.*
\blindspot-*,Pyramid default pipe (attack simulation),Pyramid,Defense Evasion,https://github.com/naksyn/Pyramid,high,none,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Pyramid.csv,^blindspot-.*
\sapipipe,R2d2 backdoor (state trojan),R2d2 backdoor,Malware,https://analyze.intezer.com/files/2b7bbea0b5f8f82c0597e1e710afa2b9f5a0acaf6f46a8fcc62ab103ecb6a319/sub/7f8b32b1-2df9-425f-9f56-317b1f24da07/string-reuse,critical,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^sapipipe$
\R2PIPE_IN,radare2 ,radare2 ,Discovery,https://github.com/radareorg/radare2/blob/9b9d4ed769b4c60e204cfe5655331d856c1513f1/binr/r2r/run.c#L37,info,,low,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Radare2.csv,^R2PIPE_IN$
\r2r-subproc*,radare2 ,radare2 ,Discovery,https://github.com/radareorg/radare2/blob/9b9d4ed769b4c60e204cfe5655331d856c1513f1/binr/r2r/run.c#L37,info,,low,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Radare2.csv,^r2r-subproc.*
\NamePipe_MoreWindows,APT RedLeaves pipe,RedLeaves,Malware,https://github.com/CYB3RMX/Qu1cksc0pe/blob/8ec84a344019e07e24de35de3a00bb7ad3090498/Systems/Windows/YaraRules_Windows/APT_RedLeaves.yara#L17,high,,high,offensive_tool,detection rule,,https://github.com/CYB3RMX/Qu1cksc0pe/blob/8ec84a344019e07e24de35de3a00bb7ad3090498/Systems/Windows/YaraRules_Windows/APT_RedLeaves.yara#L17,^NamePipe_MoreWindows$
\youcantpatchthis,using named pipe output with beacon ReflectiveDLLs,ReflectiveDll,C2,https://github.com/rxwx/cs-rdll-ipc-example/blob/2d331dae5d5dd84e5d6fbc5a0c152e690539c70f/ReflectiveDll/dllmain.cpp#L11,critical,,critical,offensive_tool,detection rule,,https://github.com/rxwx/cs-rdll-ipc-example/blob/2d331dae5d5dd84e5d6fbc5a0c152e690539c70f/ReflectiveDll/dllmain.cpp#L11,^youcantpatchthis$
\remcom*,PSEXEC like,Remcom,Lateral Movement,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,high,low,high,greyware_tool,Hunting,,https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c,^remcom.*
\RemCom_Commuincation,PSEXEC like / Impacket,Remcom,Lateral Movement,https://github.com/kavika13/RemCom/blob/45e902f957c2d1bba519f5c2d47d1e6e8de648d0/RemCom.h,high,low,high,greyware_tool,Hunting,,https://n7wera.notion.site/Modifing-Impacket-to-avoid-detection-4df93e4bdbdc439988d79864774af569,^RemCom_Commuincation$
\ahexec,HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY),RemoteAdmin.Linux,Malware,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,high,,high,greyware_tool,Hunting,,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,^ahexec$
\ahexec_stderr,HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY),RemoteAdmin.Linux,Malware,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,high,,high,greyware_tool,Hunting,,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,^ahexec_stderr$
\ahexec_stdin,HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY),RemoteAdmin.Linux,Malware,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,high,,high,greyware_tool,Hunting,,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,^ahexec_stdin$
\ahexec_stdout,HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY),RemoteAdmin.Linux,Malware,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,high,,high,greyware_tool,Hunting,,https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/HackTool.Linux.WinExe.A/,^ahexec_stdout$
\RPC_DEEP_INTEGRATION_PIPE*,RemotePCLauncher.exe and RPCPerfViewer.exe behavior from RemotePC RMM,RemotePC,RMM,https://www.remotedesktop.com/,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemotePC.csv,^RPC_DEEP_INTEGRATION_PIPE.*
\RPCViewerCom,RemotePCUIU.exe behavior from RemotePC RMM,RemotePC,RMM,https://www.remotedesktop.com/,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemotePC.csv,^RPCViewerCom$
\RMSFUSClient*,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by '\Remote Utilities - Host\rfusclient.exe' and '\Remote Utilities - Host\rutserv.exe',https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RMSFUSClient.*
\RManFUSServerNotify32,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by '\Program Files (x86)\Remote Utilities - Host\rfusclient.exe' and '\Program Files (x86)\Remote Utilities - Host\rutserv.exe',https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RManFUSServerNotify32$
\RManFUSCallbackNotify32,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by 'Remote Utilities - Host\rutserv.exe',https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RManFUSCallbackNotify32$
\RMSPrint*,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by 'Remote Utilities - Host\rutserv.exe',https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RMSPrint.*
\RMS-Mini-Id-Local-Settings,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by \Remote Utilities - Server\InternetIdService.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RMS-Mini-Id-Local-Settings$
\RMS-Mini-Id-Settings-Notify,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by \Remote Utilities - Server\InternetIdService.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RMS-Mini-Id-Settings-Notify$
\BuhphoneAgentAPIViewer,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by \Remote Utilities - Viewer\rutview.exe and \rutserv.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^BuhphoneAgentAPIViewer$
\Local\RManChatServer,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by \Remote Utilities - Viewer\rutview.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^Local\\RManChatServer$
\RMS-Terminal-*,RemoteUtilities software,RemoteUtilities,RMM,https://www.remoteutilities.com/,high,low,high,greyware_tool,Hunting,executed by \Remote Utilities - Viewer\rutview.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RemoteUtilities.csv,^RMS-Terminal-.*
\RevShell,Named_Pipe_Reverse_Shell tool,RevShell,C2,https://github.com/BlackHat-Ashura/Named_Pipe_Reverse_Shell/blob/a62b02d413a2b3e2daa971044fa4b6a4d187a1b5/Named%20Pipe%20Reverse%20Shell.cpp#L15,critical,none,critical,offensive_tool,detection rule,,https://github.com/BlackHat-Ashura/Named_Pipe_Reverse_Shell/blob/a62b02d413a2b3e2daa971044fa4b6a4d187a1b5/Named%20Pipe%20Reverse%20Shell.cpp#L15,^RevShell$
\RoguePotato,RoguePotato,RoguePotato,Privilege Escalation,https://github.com/antonioCoco/RoguePotato/blob/d6156c309107de4cb72747e2fa84ca77a9fb5808/RogueOxidResolver/main.cpp#L12,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RoguePotato.csv,^RoguePotato$
\atctl,RPC-Backdoor default pipe name,RPC-Backdoor,Persistence,https://github.com/eladshamir/RPC-Backdoor/blob/e564a4290ddec18144112559b56d8130b9db2c52/RpcServer/RpcServer.cpp#L317,medium,low,high,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RPC-Backdoor.csv,^atctl$
\pipey,faxhell / printjacker / RpcSsImpersonator - Elevation to SYSTEM,RpcSsImpersonator,Privilege Escalation,https://github.com/Al1ex/WindowsElevation/blob/e8fa2760f0ea29d1cdc759c623021d5ab7b715e2/RpcSsImpersonator/src/impersonate/impersonate/dllmain.c#L676,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^pipey$
\RustDesk\query,used by RustDesk for remote control,RustDesk,RMM,https://github.com/rustdesk/rustdesk,high,low,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustDesk.csv,^RustDesk\\query$
\RustDesk\query_cm,used by RustDesk for remote control,RustDesk,RMM,https://github.com/rustdesk/rustdesk,high,low,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustDesk.csv,^RustDesk\\query_cm$
\RustDesk\query_portable_service*,used by RustDesk for remote control,RustDesk,RMM,https://github.com/rustdesk/rustdesk,high,low,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustDesk.csv,^RustDesk\\query_portable_service.*
\RustDesk\query_service,used by RustDesk for remote control,RustDesk,RMM,https://github.com/rustdesk/rustdesk,high,low,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustDesk.csv,^RustDesk\\query_service$
\__rust_anonymous_pipe1*,used by RustDesk for remote control and other legitimate tools,RustDesk,RMM,https://github.com/rustdesk/rustdesk,high,medium,medium,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustDesk.csv,^__rust_anonymous_pipe1.*
\Teste,RustRedOps Named Pipe Client / Server,RustRedOps,Exploitation,https://github.com/joaoviictorti/RustRedOps/blob/1b8d25c9692f8effd03dea677f349dc0e882c5f3/Named_Pipe_Client_Server/src/client.rs#L14,medium,low,medium,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/RustRedOps.csv,^Teste$
\46a676ab7f179e511e30dd2dc41bd388,project sauron apt,sauron,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,^46a676ab7f179e511e30dd2dc41bd388$
\9f81f59bc58452127884ce513865ed20,project sauron apt,sauron,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,^9f81f59bc58452127884ce513865ed20$
\e710f28d59aa529d6792ca6ff0ca1b34,project sauron apt,sauron,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,^e710f28d59aa529d6792ca6ff0ca1b34$
\rpchlp_3,project sauron apt,sauron,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190156/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,^rpchlp_3$
\*-*ServerRead,used by Connectwise Screenconnect client RMM tool,Screenconnect,RMM,https://screenconnect.connectwise.com/,high,medium,medium,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/ScreenConnect.csv,^.*-.*ServerRead$
\*-*ServerWrite,used by Connectwise Screenconnect client RMM tool,Screenconnect,RMM,https://screenconnect.connectwise.com/,high,medium,medium,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/ScreenConnect.csv,^.*-.*ServerWrite$
\mimi,A method of bypassing EDR's active projection DLL's by preventing entry point exection,SharpBlock,Defense Evasion,https://github.com/CCob/SharpBlock/blob/master/README.md,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharpBlock.csv,^mimi$
\ShitSecure,SharpNamedPipePTH - Pass the Hash to a named pipe for token Impersonation,SharpNamedPipePTH,Lateral Movement,https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH/blob/6ab648a47619983e242918903435de8c7393e131/SharpNamedPipePTH/Program.cs#L18,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sharpcollection.csv,^ShitSecure$
\TestSVC,Get-System.ps1 default named pipe,SharPyShell,Privilege Escalation,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89,critical,medium,high,offensive_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharPyShell.csv,^TestSVC$
\winpty-conin-*,JWrapper-Remote Access used by SimpleHelp 'Remote Access.exe'  RMM,SimpleHelp,RMM,https://simple-help.com/,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SimpleHelp.csv,^winpty-conin-.*
\winpty-conout-*,JWrapper-Remote Access used by SimpleHelp 'Remote Access.exe' RMM,SimpleHelp,RMM,https://simple-help.com/,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SimpleHelp.csv,^winpty-conout-.*
\winpty-control-*,JWrapper-Remote Access used by SimpleHelp 'Remote Access.exe'  RMM,SimpleHelp,RMM,https://simple-help.com/,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SimpleHelp.csv,^winpty-control-.*
\bizkaz,Snatch Ransomware,Snatch,Malware,https://thedfirreport.com/2020/06/21/snatch-ransomware/,critical,,critical,offensive_tool,detection rule,,https://thedfirreport.com/2020/06/21/snatch-ransomware/,^bizkaz$
\SpectorLiveLog,Spyware + EmailWorm,Spector,Malware,https://secure.lavasoft.com/mylavasoft/malware-descriptions/blog/TrojanWin32Swrort3b998b1844d,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^SpectorLiveLog$
\583da945-62af-10e8-4902-a8f205c72b2e,SolarWinds SUNBURST malware,SUNBURST,Malware,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html,critical,,critical,offensive_tool,detection rule,,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html,^583da945-62af-10e8-4902-a8f205c72b2e$
\Supremo_Client_2,used by supremo remote access software,supremo,RMM,https://www.supremocontrol.com,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Supremo.csv,^Supremo_Client_2$
\Supremo_Helper_2,used by supremo remote access software,supremo,RMM,https://www.supremocontrol.com,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Supremo.csv,^Supremo_Helper_2$
\Supremo_Service,used by supremo remote access software,supremo,RMM,https://www.supremocontrol.com,high,low,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Supremo.csv,^Supremo_Service$
\syelog,EDR bypassing,syelog,Defense Evasion,https://github.com/Signal-Labs/NtdllUnpatcher/blob/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/include/syelog.h#L21,critical,,critical,offensive_tool,detection rule,,https://github.com/Signal-Labs/NtdllUnpatcher/blob/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/include/syelog.h#L21,^syelog$
\tailscale-test,Tailscale,Tailscale,Defense Evasion,https://github.com/tailscale/tailscale/blob/2fa219440bb5b408866413647ed92dac265ad919/safesocket/basic_test.go#L24,high,,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tailscale.csv,^tailscale-test$
\tailscale*,Tailscale,Tailscale,Defense Evasion,https://github.com/tailscale/tailscale/blob/2fa219440bb5b408866413647ed92dac265ad919/safesocket/basic_test.go#L24,high,,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tailscale.csv,^tailscale.*
\ProtectedPrefix\Administrators\Tailscale\tailscaled,Tailscale,Tailscale,Defense Evasion,https://github.com/tailscale/tailscale/blob/2fa219440bb5b408866413647ed92dac265ad919/safesocket/basic_test.go#L24,high,,high,greyware_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tailscale.csv,^ProtectedPrefix\\Administrators\\Tailscale\\tailscaled$
\__tat_anon_pipe__*,TAT agent is an agent written in Rust - which run in CVM - Lighthouse or CPM 2.0 instances. Its role is to run commands remotely without ssh login,Tencent,C2,https://github.com/Tencent/tat-agent/blob/930fa2040b8dc5b43c7f86070a3dfa3530003726/src/executor/windows.rs#L357,medium,,medium,offensive_tool,detection rule,false positive: legitimate usage of TencentCloud Automation Tools,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tailscale.csv,^__tat_anon_pipe__.*
\tenketsu,metasploit clone for linux,tenketsu,Exploitation,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/byakugan/tenketsu.cpp#L127,critical,,critical,offensive_tool,detection rule,,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/byakugan/tenketsu.cpp#L127,^tenketsu$
\tenketsuProxy,metasploit clone for linux,tenketsu,Exploitation,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/byakugan/tenketsu.cpp#L127,critical,,critical,offensive_tool,detection rule,,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/byakugan/tenketsu.cpp#L127,^tenketsuProxy$
\TIOR_Err,pipe redirector from metasploit bypassuac TIOR,thg-framework,Exploitation,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,critical,,critical,offensive_tool,detection rule,,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,^TIOR_Err$
\TIOR_In,pipe redirector from metasploit bypassuac TIOR,thg-framework,Exploitation,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,critical,,critical,offensive_tool,detection rule,,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,^TIOR_In$
\TIOR_Out,pipe redirector from metasploit bypassuac TIOR,thg-framework,Exploitation,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,critical,,critical,offensive_tool,detection rule,,https://github.com/killvxk/thg-framework/blob/fab929cd77c91373ebc4212bd4e5891b54f0fb1b/data/source/exploits/bypassuac/Redirector.cpp#L7,^TIOR_Out$
\TVN_log_pipe_public_name,TightVNC default named pipe,TightVNC,RMM,https://www.tightvnc.com,high,none,high,greyware_tool,Hunting,"C:\Program Files (x86)\TightVNC\tvnserver.exe	",https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tightvnc.csv,^TVN_log_pipe_public_name$
\TVN_log_pipe_public_name,TightVNC default named pipe also used by EHORUS RMM,EHORUS RMM,RMM,https://www.tightvnc.com,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/G-H/EHORUS RMM.csv,^TVN_log_pipe_public_name$
\TightVNC_Service_Control,TightVNC default named pipe,TightVNC,RMM,https://www.tightvnc.com,high,none,high,greyware_tool,Hunting,"C:\Program Files (x86)\TightVNC\tvnserver.exe	",https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tightvnc.csv,^TightVNC_Service_Control$
\TightVNC_Service_Control,TightVNC default named pipe also used by EHORUS RMM,EHORUS RMM,RMM,https://www.tightvnc.com,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/G-H/EHORUS RMM.csv,^TightVNC_Service_Control$
\mlnhcpkomdeavomsjalt,TightVNC default named pipe,TightVNC,RMM,https://www.tightvnc.com,high,low,high,greyware_tool,Hunting,"C:\Program Files (x86)\TightVNC\tvnserver.exe	",https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/tightvnc.csv,^mlnhcpkomdeavomsjalt$
\tokenvator,A tool to elevate privilege with Windows Tokens,Tokenvator,Privilege Escalation,https://github.com/0xbadjuju/Tokenvator/blob/f38c8be2b439adc87d40780a8705dbb7e1c5804d/Tokenvator/MainLoop.cs#L35,critical,,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tokenvator.csv,^tokenvator$
*lacesomepipe,trickbot malware,trickbot,Malware,https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/,critical,,critical,offensive_tool,detection rule,,https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/,^.*lacesomepipe$
\1510ea,trickbot malware,trickbot,Malware,https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/,high,medium,medium,offensive_tool,Hunting,,https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/,^1510ea$
\dce_33f8,trickbot shellcode,trickbot,Malware,https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/,medium,low,medium,offensive_tool,Hunting,,https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/,^dce_33f8$
\Scrooling*,Malware Truebot,Truebot,Malware,https://bazaar.abuse.ch/sample/717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb/,high,low,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^Scrooling.*
\comnode,Turla malwares,Turla,Malware,https://github.com/Neo23x0/signature-base/blob/857ac87b4b9fb5d71cdd5935766b330f71845a75/yara/apt_turla.yar#L91,critical,,critical,offensive_tool,detection rule,,https://github.com/Neo23x0/signature-base/blob/857ac87b4b9fb5d71cdd5935766b330f71845a75/yara/apt_turla.yar#L91,^comnode$
\isapi_dg*,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^isapi_dg.*
\isapi_http,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^isapi_http$
\isapi_http1,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^isapi_http1$
\isapi_http2,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^isapi_http2$
\isapi_http3,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^isapi_http3$
\services_control,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^services_control$
\SQL*,sql named pipes - hunt for process anomalies - high FP rate - hunting only,MSSQL,Compliance,,low,high,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^SQL.*
\MSSQL*,sql named pipes - hunt for process anomalies - high FP rate - hunting only,MSSQL,Compliance,,low,high,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^MSSQL.*
\wininet_activate,Uroburos - Named pipe used for internal communications,Uroburos,Malware,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,high,,high,offensive_tool,detection rule,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf,^wininet_activate$
\VBoxGuest,VirtualBox usage,VirtualBox,Defense Evasion,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^VBoxGuest$
\VBoxMiniRdDN,VirtualBox usage,VirtualBox,Defense Evasion,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^VBoxMiniRdDN$
\VBoxMiniRdrDN,VirtualBox usage,VirtualBox,Defense Evasion,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^VBoxMiniRdrDN$
\VBoxTrayIPC,VirtualBox usage,VirtualBox,Defense Evasion,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^VBoxTrayIPC$
\brutepipe,BruteRatel Pipe in sample,BruteRatel,C2,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/bruteratel.csv,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^brutepipe$
\vmware*,vmware usage,vmware,Compliance,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^vmware.*
\vncdump-*,vnc password sniffer,vncdump,Credential Access,https://www.codebus.net/d-2v0u.html,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/vncpwdump.csv,^vncdump-.*
\xlibwait,Trojan:Win32/Warece.C Defender signature,Warece,Malware,https://www.hybrid-analysis.com/sample/78f6014919d9615e86d0496ca0c3758b29b115016b56f71172797117ad08277b?environmentId=120,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^xlibwait$
\mviwait,Trojan:Win32/Warece.C Defender signature,Warece,Malware,https://www.hybrid-analysis.com/sample/78f6014919d9615e86d0496ca0c3758b29b115016b56f71172797117ad08277b?environmentId=120,critical,none,high,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^mviwait$
\C__WINDOWS_IEXPLORE.EXE,Trojan:Win32/Warece.C Defender signature,Warece,Malware,https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Trojan/Win32/Warece/Trojan_Win32_Warece_C.yar#L10,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^C__WINDOWS_IEXPLORE.EXE$
\lsassw,Wild Neutron APT pipe,Wild Neutron,Malware,https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/,high,,high,offensive_tool,detection rule,,https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/,^lsassw$
\winsession,Wild Neutron APT pipe,Wild Neutron,Malware,https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/,high,,high,offensive_tool,detection rule,,https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/,^winsession$
\WinPwnagePipe,Winpwnage elevatemethod3.py,WinPwnage,Privilege Escalation,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/elevate/elevateMethod3.py#L21,critical,,critical,offensive_tool,detection rule,,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/elevate/elevateMethod3.py#L21,^WinPwnagePipe$
\ProtectedPrefix\Administrators\WireGuard\*,used by Wireguard (VPN protocol included in transport communication of sliver C2),Wireguard,Defense Evasion,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv,high,low,high,greyware_tool,Hunting,\\.\pipe\ProtectedPrefix\Administrators\WireGuard\,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/wiresocks.csv,^ProtectedPrefix\\Administrators\\WireGuard\\.*
\wireshark*,Wireshark,Wireshark,Discovery,https://github.com/mthcht/awesome-lists,medium,low,medium,greyware_tool,Hunting,administrative tool - used by administrators,https://github.com/mthcht/awesome-lists,^wireshark.*
\wsl*,wsl usage,WSL,Compliance,https://github.com/mthcht/awesome-lists,info,,info,greyware_tool,Hunting,,https://github.com/mthcht/awesome-lists,^wsl.*
\OfflineKeyloggerPipe,offline keylogger used by xeno-rat,xeno-rat,C2,https://github.com/moom825/xeno-rat/blob/3438a2c958d0ac4af33268822cdf6cbeabba81f8/Plugins/KeyLoggerOffline/KeyLoggerOffline.cs#L23,critical,none,critical,offensive_tool,detection rule,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xeno-rat.csv,^OfflineKeyloggerPipe$
\wzcsvc_wep_keys*,Xtreme RAT pipe name,XtremeRAT,Malware,https://github.com/mthcht/Remote-administration-tools-archive/,critical,low,critical,offensive_tool,detection rule,,https://github.com/mthcht/awesome-lists,^wzcsvc_wep_keys.*
*\ZAudioClientPipe_*ServerWritePipe*,Zoho Assist Remote access software,Zoho Assist,RMM,https://www.zoho.com/assist/,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/Zoho%20Assist.csv,^.*\\ZAudioClientPipe_.*ServerWritePipe.*
*\ZAudioClientPipe_*ServerReadPipe*,Zoho Assist Remote access software,Zoho Assist,RMM,https://www.zoho.com/assist/,high,none,high,greyware_tool,Hunting,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/Zoho%20Assist.csv,^.*\\ZAudioClientPipe_.*ServerReadPipe.*