CobaltStrike Named Pipe Patterns

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Sigma rule (View on GitHub)

 1title: CobaltStrike Named Pipe Patterns
 2id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
 3related:
 4    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
 5      type: similar
 6    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
 7      type: similar
 8status: test
 9description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
10references:
11    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
12    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
13author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
14date: 2021-07-30
15modified: 2024-01-26
16tags:
17    - attack.defense-evasion
18    - attack.privilege-escalation
19    - attack.t1055
20    - stp.1k
21logsource:
22    product: windows
23    category: pipe_created
24    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
25detection:
26    selection_malleable_profile_generic:
27        - PipeName|startswith:
28              - '\DserNamePipe'
29              - '\f4c3'
30              - '\f53f'
31              - '\fullduplex_'
32              - '\mojo.5688.8052.183894939787088877'
33              - '\mojo.5688.8052.35780273329370473'
34              - '\MsFteWds'
35              - '\msrpc_'
36              - '\mypipe-f'
37              - '\mypipe-h'
38              - '\ntsvcs'
39              - '\PGMessagePipe'
40              - '\rpc_'
41              - '\scerpc'
42              - '\SearchTextHarvester'
43              - '\spoolss'
44              - '\win_svc'
45              - '\win\msrpc_'
46              - '\windows.update.manager'
47              - '\wkssvc'
48        - PipeName:
49              - '\demoagent_11'
50              - '\demoagent_22'
51    selection_malleable_profile_catalog_change_listener:
52        PipeName|startswith: '\Winsock2\CatalogChangeListener-'
53        PipeName|endswith: '-0,'
54    filter_main_generic:
55        PipeName:
56            - '\wkssvc'
57            - '\spoolss'
58            - '\scerpc'
59            - '\ntsvcs'
60            - '\SearchTextHarvester'
61            - '\PGMessagePipe'
62            - '\MsFteWds'
63    filter_optional_websense:
64        Image|contains:
65            - ':\Program Files\Websense\'
66            - ':\Program Files (x86)\Websense\'
67        PipeName|startswith:
68            - '\DserNamePipeR'
69            - '\DserNamePipeW'
70    condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1 of filter_optional_*
71falsepositives:
72    - Chrome instances using the exact same pipe name "mojo.xxx"
73    - Websense Endpoint using the pipe name "DserNamePipe(R|W)\d{1,5}"
74level: high

References

Related rules

to-top