11-05-2022 03:44 AM
Hello dear community!
Is there a way to hunt for named pipe communication?
11-07-2022 12:33 AM
I believe you can use below XQL query.
preset = xdr_file
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and action_file_path contains "\NamedPipe\"
11-07-2022 12:47 AM
Just to add on top of Emre's suggestion, you can check out this article.
Query #7 is used to hunt SolarWind breaches based on namedpipe.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!