CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
Sigma rule (View on GitHub)
1title: CobaltStrike Named Pipe Patterns
2id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
3related:
4 - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
5 type: similar
6 - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
7 type: similar
8status: test
9description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
10references:
11 - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
12 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
13author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
14date: 2021-07-30
15modified: 2024-01-26
16tags:
17 - attack.defense-evasion
18 - attack.privilege-escalation
19 - attack.t1055
20 - stp.1k
21logsource:
22 product: windows
23 category: pipe_created
24 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
25detection:
26 selection_malleable_profile_generic:
27 - PipeName|startswith:
28 - '\DserNamePipe'
29 - '\f4c3'
30 - '\f53f'
31 - '\fullduplex_'
32 - '\mojo.5688.8052.183894939787088877'
33 - '\mojo.5688.8052.35780273329370473'
34 - '\MsFteWds'
35 - '\msrpc_'
36 - '\mypipe-f'
37 - '\mypipe-h'
38 - '\ntsvcs'
39 - '\PGMessagePipe'
40 - '\rpc_'
41 - '\scerpc'
42 - '\SearchTextHarvester'
43 - '\spoolss'
44 - '\win_svc'
45 - '\win\msrpc_'
46 - '\windows.update.manager'
47 - '\wkssvc'
48 - PipeName:
49 - '\demoagent_11'
50 - '\demoagent_22'
51 selection_malleable_profile_catalog_change_listener:
52 PipeName|startswith: '\Winsock2\CatalogChangeListener-'
53 PipeName|endswith: '-0,'
54 filter_main_generic:
55 PipeName:
56 - '\wkssvc'
57 - '\spoolss'
58 - '\scerpc'
59 - '\ntsvcs'
60 - '\SearchTextHarvester'
61 - '\PGMessagePipe'
62 - '\MsFteWds'
63 filter_optional_websense:
64 Image|contains:
65 - ':\Program Files\Websense\'
66 - ':\Program Files (x86)\Websense\'
67 PipeName|startswith:
68 - '\DserNamePipeR'
69 - '\DserNamePipeW'
70 condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1 of filter_optional_*
71falsepositives:
72 - Chrome instances using the exact same pipe name "mojo.xxx"
73 - Websense Endpoint using the pipe name "DserNamePipe(R|W)\d{1,5}"
74level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- HackTool - CoercedPotato Execution
- HackTool - EfsPotato Named Pipe Creation