From da30ec6259d34d42c46c53bab4e0b9e566033c70 Mon Sep 17 00:00:00 2001
From: Raven Tait <rmtait@cisco.com>
Date: Fri, 5 Dec 2025 14:08:46 -0500
Subject: [PATCH] Add attack data for named pipes used by tools

---
 .../T1055/named_pipes/named_pipes.yml              | 14 ++++++++++++++
 .../T1055/named_pipes/windows-sysmon.log           |  3 +++
 2 files changed, 17 insertions(+)
 create mode 100644 datasets/attack_techniques/T1055/named_pipes/named_pipes.yml
 create mode 100644 datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log

diff --git a/datasets/attack_techniques/T1055/named_pipes/named_pipes.yml b/datasets/attack_techniques/T1055/named_pipes/named_pipes.yml
new file mode 100644
index 00000000..93a3b1f0
--- /dev/null
+++ b/datasets/attack_techniques/T1055/named_pipes/named_pipes.yml
@@ -0,0 +1,14 @@
+author: Raven Tait, Splunk
+id: e7dc3e89-157f-41bc-97d3-9161fa9a5620
+date: '2025-12-05'
+description: Manual generation of attack data to generate default
+  named pipes associated with offensive tools.
+environment: custom
+directory: named_pipes
+mitre_technique:
+- T1055
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log b/datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log
new file mode 100644
index 00000000..0702f568
--- /dev/null
+++ b/datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5787440e8de0d873a6d32e5f68e65517b1f3efa0531f312351743847a4746beb
+size 38570