Cobalt Strike Beacon Implant Command Issued via Named Pipe (RedCanary Threat Detection Report)
Detects named pipe creation indicating Cobalt Strike beacon implant issuing commands via SMB named pipe. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Cobalt Strike Beacon Implant Command Issued via Named Pipe (RedCanary Threat Detection Report)
2id: 0da8f33f-2703-4a4e-92f8-a6090a31b1e1
3status: experimental
4description: Detects named pipe creation indicating Cobalt Strike beacon implant issuing commands via SMB named pipe. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/cobalt-strike/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0154
11logsource:
12 category: pipe_created
13 product: windows
14detection:
15 selection:
16 PipeName|startswith:
17 - '\msagent_'
18 - '\interprocess_'
19 - '\lsarpc_'
20 - '\samr_'
21 - '\netlogon_'
22 - '\wkssvc_'
23 - '\srvsvc_'
24 - '\mojo_'
25 - '\postex_'
26 - '\status_'
27 - '\msse-'
28 condition: selection
29falsepositives:
30 - Unknown
31level: low```
References
-
Cobalt Strike is a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
Read More
Related rules
- Cobalt Strike Beacon Getsystem Pattern (RedCanary Threat Detection Report)
- Cobalt Strike UAC Bypass Using SQL Server Client Configuration Utility (RedCanary Threat Detection Report)
- Default Cobalt Strike Certificate