HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
Sigma rule (View on GitHub)
1title: HackTool - CoercedPotato Named Pipe Creation
2id: 4d0083b3-580b-40da-9bba-626c19fe4033
3status: experimental
4description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
5references:
6 - https://blog.hackvens.fr/articles/CoercedPotato.html
7 - https://github.com/hackvens/CoercedPotato
8author: Florian Roth (Nextron Systems)
9date: 2023/10/11
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055
14logsource:
15 product: windows
16 category: pipe_created
17 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
18detection:
19 selection:
20 PipeName|contains: '\coerced\'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
CoercedPotato - Une patate de plus ! 🥔 Table des matières 1. Introduction 2. Une histoire de privilèges 3. Les Access Token Windows 4. Parlons bien, parlons « Named Pipe » 5. Un peu de Coercition d...
Read More -
Related rules
- Suspicious Child Process Of Wermgr.EXE
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- APT PRIVATELOG Image Load Pattern
- Potential Dridex Activity