Important and relevant NamedPipe names

[Neo23x0]

The events generated by an explicit matches on the listed pipe names should be few and highly relevant.

[WojciechLesicki]

Hi @Neo23x0,
after PR to Sigma rules (SigmaHQ/sigma#1505) I have created similar PR for sysmon:
#150
:)

I think your proposition is better because it is more universal. I, on the other hand, focused on Cobalt Strike.
But I propose to add one more:
<PipeName condition="begin with">\msagent_</PipeName>
to detect SMB Beacon communication. (according to https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/)

[Neo23x0]

@WojciechLesicki : Oh, I haven't noticed your PR. I've added the missing pipe and also added some comments.

[aaronrunkle]

Looks like there may be a typo - psexec, no?
<PipeName condition="contains any">paexec;remcom;csexec</PipeName>

EDIT:
Looks like paexec is a thing - https://www.poweradmin.com/paexec/

Any reason why psexec is not listed as well?

[Neo23x0]

No, Psexec may cause too many FPs. I intentionally tried to include only pipes that indicate unwanted or malicious behaviour.

[Neo23x0]

Ping

[WojciechLesicki]

Only as a reference - today similar PR from me was merged on @olafhartong repo:
olafhartong/sysmon-modular#97

As @Neo23x0 mentioned - we need this also here :)