From 6565811928caa47bad5405ee7319612748fdc8ad Mon Sep 17 00:00:00 2001 From: AntwortEinesLebens Date: Wed, 21 Aug 2024 17:58:26 +0200 Subject: [PATCH 1/2] =?UTF-8?q?style:=20=F0=9F=92=84=20Format=20TOML=20fil?= =?UTF-8?q?es?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cliff.toml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/cliff.toml b/cliff.toml index 34e04e4..5278ba6 100644 --- a/cliff.toml +++ b/cliff.toml @@ -50,7 +50,7 @@ footer = """ """ trim = true postprocessors = [ - { pattern = '', replace = "https://github.com/frack113/WAG/" }, + { pattern = '', replace = "https://github.com/frack113/WAG/" }, ] [git] @@ -58,21 +58,21 @@ conventional_commits = true filter_unconventional = true split_commits = false commit_preprocessors = [ - { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](/issues/${2}))" }, - { pattern = '.*', replace_command = 'typos --write-changes -' }, + { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](/issues/${2}))" }, + { pattern = '.*', replace_command = 'typos --write-changes -' }, ] commit_parsers = [ - { message = "^feat", group = "โœจ Features" }, - { message = "^fix", group = "๐Ÿ› Bug Fixes" }, - { message = "^doc", group = "๐Ÿ“š Documentation" }, - { message = "^style", group = "๐Ÿ’„ Styling" }, - { message = "^refactor", group = "๐Ÿ”จ Refactor" }, - { message = "^perf", group = "โšก Performance" }, - { message = "^test", group = "๐Ÿšจ Testing" }, - { message = "^build", group = "๐Ÿ“ฆ Build" }, - { message = "^ci", group = "๐Ÿค– CI" }, - { message = "^chore", group = "๐Ÿงน Miscellaneous" }, - { message = "^revert", group = "โช Revert" }, + { message = "^feat", group = "โœจ Features" }, + { message = "^fix", group = "๐Ÿ› Bug Fixes" }, + { message = "^doc", group = "๐Ÿ“š Documentation" }, + { message = "^style", group = "๐Ÿ’„ Styling" }, + { message = "^refactor", group = "๐Ÿ”จ Refactor" }, + { message = "^perf", group = "โšก Performance" }, + { message = "^test", group = "๐Ÿšจ Testing" }, + { message = "^build", group = "๐Ÿ“ฆ Build" }, + { message = "^ci", group = "๐Ÿค– CI" }, + { message = "^chore", group = "๐Ÿงน Miscellaneous" }, + { message = "^revert", group = "โช Revert" }, ] protect_breaking_commits = false filter_commits = false From 21ed5533f6624d32863fc3ad2b1aac3b99d8e661 Mon Sep 17 00:00:00 2001 From: AntwortEinesLebens Date: Wed, 21 Aug 2024 18:02:23 +0200 Subject: [PATCH 2/2] =?UTF-8?q?style:=20=F0=9F=92=84=20Format=20Mardown=20?= =?UTF-8?q?files?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/Artefacts.md | 356 +++++++++++++++++++++++----------------------- docs/cli_help.md | 218 ++++++++++++++-------------- 2 files changed, 287 insertions(+), 287 deletions(-) diff --git a/docs/Artefacts.md b/docs/Artefacts.md index 5ae6b8f..75aa07c 100644 --- a/docs/Artefacts.md +++ b/docs/Artefacts.md @@ -1,178 +1,178 @@ - - -# Artefact list - -- [Sysmon V15 Artefact](#sysmon-v15-artefact) - - [Process creation (1)](#process-creation-1) - - [process changed a file creation time (2)](#process-changed-a-file-creation-time-2) - - [Network connection (3)](#network-connection-3) - - [Sysmon service state changed (4)](#sysmon-service-state-changed-4) - - [Process terminated (5)](#process-terminated-5) - - [Driver loaded (6)](#driver-loaded-6) - - [Image loaded (7)](#image-loaded-7) - - [CreateRemoteThread (8)](#createremotethread-8) - - [RawAccessRead (9)](#rawaccessread-9) - - [ProcessAccess (10)](#processaccess-10) - - [FileCreate (11)](#filecreate-11) - - [RegistryEvent (12,13,14)](#registryevent-121314) - - [FileCreateStreamHash (15)](#filecreatestreamhash-15) - - [ServiceConfigurationChange (16)](#serviceconfigurationchange-16) - - [PipeEvent (17,18)](#pipeevent-1718) - - [WmiEvent (19,20,21)](#wmievent-192021) - - [DNSEvent (22)](#dnsevent-22) - - [FileDelete (23)](#filedelete-23) - - [ClipboardChange (24)](#clipboardchange-24) - - [ProcessTampering (25)](#processtampering-25) - - [FileDeleteDetected (26)](#filedeletedetected-26) - - [FileBlockExecutable (27)](#fileblockexecutable-27) - - [FileBlockShredding (28)](#fileblockshredding-28) - - [FileExecutableDetected (29)](#fileexecutabledetected-29) - - [Error (255)](#error-255) -- [Windows builtin Channel](#windows-builtin-channel) - -# Sysmon V15 Artefact - -- โœ” Wag can create artefact -- โœ– Wag will not create artefact - -โ“ Need to be check - -| EventID | Description | Cover by wag | -| ------- | ----------------------------------------------------- | ------------ | -| 1 | Process creation | โœ– | -| 2 | process changed a file creation time | โ“ | -| 3 | Network connection | โœ– | -| 4 | Sysmon service state changed | โœ– | -| 5 | Process terminated | โœ– | -| 6 | Driver loaded | โœ” | -| 7 | Image loaded | โ“ | -| 8 | CreateRemoteThread | โ“ | -| 9 | RawAccessRead | โ“ | -| 10 | ProcessAccess | โ“ | -| 11 | FileCreate | โœ” | -| 12 | RegistryEvent (Object create and delete) | โœ– | -| 13 | RegistryEvent (Value Set) | โœ– | -| 14 | RegistryEvent (Key and Value Rename) | โœ– | -| 15 | FileCreateStreamHash | โœ” | -| 16 | ServiceConfigurationChange | โœ– | -| 17 | PipeEvent (Pipe Created) | โœ” | -| 18 | PipeEvent (Pipe Connected) | โ“ | -| 19 | WmiEvent (WmiEventFilter activity detected) | โ“ | -| 20 | WmiEvent (WmiEventConsumer activity detected) | โ“ | -| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | โ“ | -| 22 | DNSEvent (DNS query) | โœ– | -| 23 | FileDelete (File Delete archived) | โ“ | -| 24 | ClipboardChange (New content in the clipboard) | โ“ | -| 25 | ProcessTampering (Process image change) | โ“ | -| 26 | FileDeleteDetected (File Delete logged) | โ“ | -| 27 | FileBlockExecutable | โ“ | -| 28 | FileBlockShredding | โ“ | -| 29 | FileExecutableDetected | โ“ | -| 255 | Error | โœ– | - -## Process creation (1) - -Cover by other tools like Atomic RedTeam - -## process changed a file creation time (2) - -Need to see its usefulness - -## Network connection (3) - -Cover by other tools like Atomic RedTeam - -## Sysmon service state changed (4) - -Need to see its usefulness - -## Process terminated (5) - -Cover by other tools like Atomic RedTeam - -## Driver loaded (6) - -Done by the option X - -## Image loaded (7) - -Need to see its usefulness - -## CreateRemoteThread (8) - -Need to see its usefulness - -## RawAccessRead (9) - -Need to see its usefulness - -## ProcessAccess (10) - -Need to see its usefulness - -## FileCreate (11) - -Done by the option X - -## RegistryEvent (12,13,14) - -Cover by other tools like Atomic RedTeam - -## FileCreateStreamHash (15) - -Done but get a bug when in Sysmon to validate - -## ServiceConfigurationChange (16) - -Need to see its usefulness - -## PipeEvent (17,18) - -Only Pipe Created , no Pipe Connected - -## WmiEvent (19,20,21) - -Need to see its usefulness - -## DNSEvent (22) - -Cover by other tools like Atomic RedTeam - -## FileDelete (23) - -Need to see its usefulness - -## ClipboardChange (24) - -Need to see its usefulness - -## ProcessTampering (25) - -Need to see its usefulness - -## FileDeleteDetected (26) - -Need to see its usefulness - -## FileBlockExecutable (27) - -Need to see its usefulness - -## FileBlockShredding (28) - -Need to see its usefulness - -## FileExecutableDetected (29) - -Need to see its usefulness - -## Error (255) - -Need to see its usefulness - -# Windows builtin Channel - -- code_integrity when use driver option + + +# Artefact list + +- [Sysmon V15 Artefact](#sysmon-v15-artefact) + - [Process creation (1)](#process-creation-1) + - [process changed a file creation time (2)](#process-changed-a-file-creation-time-2) + - [Network connection (3)](#network-connection-3) + - [Sysmon service state changed (4)](#sysmon-service-state-changed-4) + - [Process terminated (5)](#process-terminated-5) + - [Driver loaded (6)](#driver-loaded-6) + - [Image loaded (7)](#image-loaded-7) + - [CreateRemoteThread (8)](#createremotethread-8) + - [RawAccessRead (9)](#rawaccessread-9) + - [ProcessAccess (10)](#processaccess-10) + - [FileCreate (11)](#filecreate-11) + - [RegistryEvent (12,13,14)](#registryevent-121314) + - [FileCreateStreamHash (15)](#filecreatestreamhash-15) + - [ServiceConfigurationChange (16)](#serviceconfigurationchange-16) + - [PipeEvent (17,18)](#pipeevent-1718) + - [WmiEvent (19,20,21)](#wmievent-192021) + - [DNSEvent (22)](#dnsevent-22) + - [FileDelete (23)](#filedelete-23) + - [ClipboardChange (24)](#clipboardchange-24) + - [ProcessTampering (25)](#processtampering-25) + - [FileDeleteDetected (26)](#filedeletedetected-26) + - [FileBlockExecutable (27)](#fileblockexecutable-27) + - [FileBlockShredding (28)](#fileblockshredding-28) + - [FileExecutableDetected (29)](#fileexecutabledetected-29) + - [Error (255)](#error-255) +- [Windows builtin Channel](#windows-builtin-channel) + +# Sysmon V15 Artefact + +- โœ” Wag can create artefact +- โœ– Wag will not create artefact + -โ“ Need to be check + +| EventID | Description | Cover by wag | +| ------- | ----------------------------------------------------- | ------------ | +| 1 | Process creation | โœ– | +| 2 | process changed a file creation time | โ“ | +| 3 | Network connection | โœ– | +| 4 | Sysmon service state changed | โœ– | +| 5 | Process terminated | โœ– | +| 6 | Driver loaded | โœ” | +| 7 | Image loaded | โ“ | +| 8 | CreateRemoteThread | โ“ | +| 9 | RawAccessRead | โ“ | +| 10 | ProcessAccess | โ“ | +| 11 | FileCreate | โœ” | +| 12 | RegistryEvent (Object create and delete) | โœ– | +| 13 | RegistryEvent (Value Set) | โœ– | +| 14 | RegistryEvent (Key and Value Rename) | โœ– | +| 15 | FileCreateStreamHash | โœ” | +| 16 | ServiceConfigurationChange | โœ– | +| 17 | PipeEvent (Pipe Created) | โœ” | +| 18 | PipeEvent (Pipe Connected) | โ“ | +| 19 | WmiEvent (WmiEventFilter activity detected) | โ“ | +| 20 | WmiEvent (WmiEventConsumer activity detected) | โ“ | +| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | โ“ | +| 22 | DNSEvent (DNS query) | โœ– | +| 23 | FileDelete (File Delete archived) | โ“ | +| 24 | ClipboardChange (New content in the clipboard) | โ“ | +| 25 | ProcessTampering (Process image change) | โ“ | +| 26 | FileDeleteDetected (File Delete logged) | โ“ | +| 27 | FileBlockExecutable | โ“ | +| 28 | FileBlockShredding | โ“ | +| 29 | FileExecutableDetected | โ“ | +| 255 | Error | โœ– | + +## Process creation (1) + +Cover by other tools like Atomic RedTeam + +## process changed a file creation time (2) + +Need to see its usefulness + +## Network connection (3) + +Cover by other tools like Atomic RedTeam + +## Sysmon service state changed (4) + +Need to see its usefulness + +## Process terminated (5) + +Cover by other tools like Atomic RedTeam + +## Driver loaded (6) + +Done by the option X + +## Image loaded (7) + +Need to see its usefulness + +## CreateRemoteThread (8) + +Need to see its usefulness + +## RawAccessRead (9) + +Need to see its usefulness + +## ProcessAccess (10) + +Need to see its usefulness + +## FileCreate (11) + +Done by the option X + +## RegistryEvent (12,13,14) + +Cover by other tools like Atomic RedTeam + +## FileCreateStreamHash (15) + +Done but get a bug when in Sysmon to validate + +## ServiceConfigurationChange (16) + +Need to see its usefulness + +## PipeEvent (17,18) + +Only Pipe Created , no Pipe Connected + +## WmiEvent (19,20,21) + +Need to see its usefulness + +## DNSEvent (22) + +Cover by other tools like Atomic RedTeam + +## FileDelete (23) + +Need to see its usefulness + +## ClipboardChange (24) + +Need to see its usefulness + +## ProcessTampering (25) + +Need to see its usefulness + +## FileDeleteDetected (26) + +Need to see its usefulness + +## FileBlockExecutable (27) + +Need to see its usefulness + +## FileBlockShredding (28) + +Need to see its usefulness + +## FileExecutableDetected (29) + +Need to see its usefulness + +## Error (255) + +Need to see its usefulness + +# Windows builtin Channel + +- code_integrity when use driver option diff --git a/docs/cli_help.md b/docs/cli_help.md index 507527b..07bcb0c 100644 --- a/docs/cli_help.md +++ b/docs/cli_help.md @@ -1,109 +1,109 @@ - - -# Ads - -`wag ads -f fullpath -a ads -d data` - -* fullpath: regex of the full path -* ads: name of the stream -* data: base64 of the data to write - -| Type | ads | data | -| -------------- | --------------- | -------------------------------------------------------------------------------------------- | -| ZoneTransfer 0 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0wDQpSZWZlcnJlclVybD1jOlx3aW5kb3dzXHdhZy56aXANCg== | -| ZoneTransfer 1 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0xDQpSZWZlcnJlclVybD0vL3N2cl9BRC93YWcuemlwDQo= | -| ZoneTransfer 2 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0yDQpSZWZlcnJlclVybD1odHRwOi8vbXlzaXRlLm9yZy93YWcuemlwDQo= | -| ZoneTransfer 3 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0zDQpSZWZlcnJlclVybD1odHRwczovL3NvbWVzaXRlLmNvbS93YWcuemlwDQo= | -| ZoneTransfer 4 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD00DQpSZWZlcnJlclVybD1odHRwOi8vbWFsd2FyZS5iYWQvd2FnLnppcA0K | -| Sysmon | sysmon | SSBhbSB0aGUgYmVzdCB0byBoaWRlIGZyb20gc3lzbW9u | - -# File - -## magicbytes - -| Type | Hex | -| ---- | ------------------------------------ | -| Exe | TVo= | -| Zip | UEsDBA== | -| Vmdk | S0RN | -| Iso | Q0QwMDE= | -| Txt | QSBzaW1wbGUgdGV4dCBmaWxl | -| Ps1 | d3JpdGUtaG9zdCAiV0FHIHdhcyBIZXJlIgo= | - -## well known File - -`wag file-create -f fullpath -m Magicbyte_Hex ` - -* fullpath: regex of the full path -* Magicbyte_Hex: base64 of the magicbytes to write -* admin: can use `--admin` to check if run as administrator - -| Type | Admin | Magicbyte | fullpath | -| -------------- | ----- | --------- | -------------------------------------------------------- | -| NPPSpy | true | Exe | `C:/Windows/System32/NPPSpy\.dll` | -| SafetyKatz | false | Zip | *SystemRoot* + `Temp\\debug\.bin` | -| SmallSieve_txt | false | Txt | *LocalAppData* + `MicrosoftWindowsOutlookDataPlus\.txt` | -| SmallSieve_exe | false | Exe | *AppData* + `OutlookMicrosift\\index\.exe` | -| SNAKE_jpsetup | false | Exe | *TEMP* + `jpsetup\.exe` | -| SNAKE_jpinst | false | Exe | *TEMP* + `jpinst\\.exe` | -| SNAKE_Comadmin | true | Exe | `C:\\Windows\\System32\\Com\\Comadmin\.dat` | -| COLDSTEEL_exe | false | Exe | `C:\\users\\public\\Documents\\dllhost\.exe` | -| COLDSTEEL_dll | false | Exe | *APPDATA* + `newdev\.dll` | -| temp_ps1_12 | false | Ps1 | *SystemRoot* + `temp\[0-9a-f]{12}\.ps1` | - -Remark: You need to convert the environment variable into a correct regular expression. - -# Named pipe - -`wag name-pipe -n name` - -* name: named pipe name as a regex - -| Type | name | -| ------------------ | -------------------------------------------------- | -| CSExec | `\\csexecsvc` | -| psexec | `\\psexec` | -| psexec | `\\PAExec` | -| psexec | `\\remcom` | -| psexec | `\\csexec` | -| psexec | `\\PSEXESVC` | -| Cobal_strike | `\\wkssvc_?[0-9a-f]{2}` | -| Cobal_strike | `\\ntsvcs[0-9a-f]{2}` | -| Cobal_strike | `\\DserNamePipe[0-9a-f]{2}` | -| Cobal_strike | `\\SearchTextHarvester[0-9a-f]{2}` | -| Cobal_strike | `\\windows\\.update\\.manager[0-9a-f]{2,3}` | -| Cobal_strike | `\\ntsvcs_[0-9a-f]{2}` | -| Cobal_strike | `\\scerpc_?[0-9a-f]{2}` | -| Cobal_strike | `\\PGMessagePipe[0-9a-f]{2}` | -| Cobal_strike | `\\MsFteWds[0-9a-f]{2}` | -| Cobal_strike | `\\f4c3[0-9a-f]{2}` | -| Cobal_strike | `\\fullduplex_[0-9a-f]{2}` | -| Cobal_strike | `\\msrpc_[0-9a-f]{4}` | -| Cobal_strike | `\\win\\msrpc_[0-9a-f]{2}` | -| Cobal_strike | `\\f53f[0-9a-f]{2}` | -| Cobal_strike | `\\rpc_[0-9a-f]{2}` | -| Cobal_strike | `\\spoolss_[0-9a-f]{2}` | -| Cobal_strike | `\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,` | -| DiagTrackEoP | `thisispipe` | -| EfsPotato | `\\pipe\\srvsvc` | -| Credential_Dumping | `\\cachedump` | -| Credential_Dumping | `\\lsadump` | -| Credential_Dumping | `\\wceservicepipe` | -| Koh | `\\imposecost` | -| Koh | `\\imposingcost` | -| PowerShell | `\\PSHost` | -| ADFS | `\\MICROSOFT##WID\\tsql\\query` | - -# Mutex - -`wag mutex -n name` - -* name: mutex name as a regex - -| Type | name | -| ---------- | ------------------ | -| avoslocker | `Cheic0WaZie6zeiy` | + + +# Ads + +`wag ads -f fullpath -a ads -d data` + +- fullpath: regex of the full path +- ads: name of the stream +- data: base64 of the data to write + +| Type | ads | data | +| -------------- | --------------- | -------------------------------------------------------------------------------------------- | +| ZoneTransfer 0 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0wDQpSZWZlcnJlclVybD1jOlx3aW5kb3dzXHdhZy56aXANCg== | +| ZoneTransfer 1 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0xDQpSZWZlcnJlclVybD0vL3N2cl9BRC93YWcuemlwDQo= | +| ZoneTransfer 2 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0yDQpSZWZlcnJlclVybD1odHRwOi8vbXlzaXRlLm9yZy93YWcuemlwDQo= | +| ZoneTransfer 3 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0zDQpSZWZlcnJlclVybD1odHRwczovL3NvbWVzaXRlLmNvbS93YWcuemlwDQo= | +| ZoneTransfer 4 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD00DQpSZWZlcnJlclVybD1odHRwOi8vbWFsd2FyZS5iYWQvd2FnLnppcA0K | +| Sysmon | sysmon | SSBhbSB0aGUgYmVzdCB0byBoaWRlIGZyb20gc3lzbW9u | + +# File + +## magicbytes + +| Type | Hex | +| ---- | ------------------------------------ | +| Exe | TVo= | +| Zip | UEsDBA== | +| Vmdk | S0RN | +| Iso | Q0QwMDE= | +| Txt | QSBzaW1wbGUgdGV4dCBmaWxl | +| Ps1 | d3JpdGUtaG9zdCAiV0FHIHdhcyBIZXJlIgo= | + +## well known File + +`wag file-create -f fullpath -m Magicbyte_Hex ` + +- fullpath: regex of the full path +- Magicbyte_Hex: base64 of the magicbytes to write +- admin: can use `--admin` to check if run as administrator + +| Type | Admin | Magicbyte | fullpath | +| -------------- | ----- | --------- | ------------------------------------------------------- | +| NPPSpy | true | Exe | `C:/Windows/System32/NPPSpy\.dll` | +| SafetyKatz | false | Zip | _SystemRoot_ + `Temp\\debug\.bin` | +| SmallSieve_txt | false | Txt | _LocalAppData_ + `MicrosoftWindowsOutlookDataPlus\.txt` | +| SmallSieve_exe | false | Exe | _AppData_ + `OutlookMicrosift\\index\.exe` | +| SNAKE_jpsetup | false | Exe | _TEMP_ + `jpsetup\.exe` | +| SNAKE_jpinst | false | Exe | _TEMP_ + `jpinst\\.exe` | +| SNAKE_Comadmin | true | Exe | `C:\\Windows\\System32\\Com\\Comadmin\.dat` | +| COLDSTEEL_exe | false | Exe | `C:\\users\\public\\Documents\\dllhost\.exe` | +| COLDSTEEL_dll | false | Exe | _APPDATA_ + `newdev\.dll` | +| temp_ps1_12 | false | Ps1 | _SystemRoot_ + `temp\[0-9a-f]{12}\.ps1` | + +Remark: You need to convert the environment variable into a correct regular expression. + +# Named pipe + +`wag name-pipe -n name` + +- name: named pipe name as a regex + +| Type | name | +| ------------------ | -------------------------------------------------- | +| CSExec | `\\csexecsvc` | +| psexec | `\\psexec` | +| psexec | `\\PAExec` | +| psexec | `\\remcom` | +| psexec | `\\csexec` | +| psexec | `\\PSEXESVC` | +| Cobal_strike | `\\wkssvc_?[0-9a-f]{2}` | +| Cobal_strike | `\\ntsvcs[0-9a-f]{2}` | +| Cobal_strike | `\\DserNamePipe[0-9a-f]{2}` | +| Cobal_strike | `\\SearchTextHarvester[0-9a-f]{2}` | +| Cobal_strike | `\\windows\\.update\\.manager[0-9a-f]{2,3}` | +| Cobal_strike | `\\ntsvcs_[0-9a-f]{2}` | +| Cobal_strike | `\\scerpc_?[0-9a-f]{2}` | +| Cobal_strike | `\\PGMessagePipe[0-9a-f]{2}` | +| Cobal_strike | `\\MsFteWds[0-9a-f]{2}` | +| Cobal_strike | `\\f4c3[0-9a-f]{2}` | +| Cobal_strike | `\\fullduplex_[0-9a-f]{2}` | +| Cobal_strike | `\\msrpc_[0-9a-f]{4}` | +| Cobal_strike | `\\win\\msrpc_[0-9a-f]{2}` | +| Cobal_strike | `\\f53f[0-9a-f]{2}` | +| Cobal_strike | `\\rpc_[0-9a-f]{2}` | +| Cobal_strike | `\\spoolss_[0-9a-f]{2}` | +| Cobal_strike | `\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,` | +| DiagTrackEoP | `thisispipe` | +| EfsPotato | `\\pipe\\srvsvc` | +| Credential_Dumping | `\\cachedump` | +| Credential_Dumping | `\\lsadump` | +| Credential_Dumping | `\\wceservicepipe` | +| Koh | `\\imposecost` | +| Koh | `\\imposingcost` | +| PowerShell | `\\PSHost` | +| ADFS | `\\MICROSOFT##WID\\tsql\\query` | + +# Mutex + +`wag mutex -n name` + +- name: mutex name as a regex + +| Type | name | +| ---------- | ------------------ | +| avoslocker | `Cheic0WaZie6zeiy` |