Techniques
Sample rules
CobaltStrike Named Pipe Patterns
- source: sigma
- technicques:
- t1055
Description
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
Detection logic
condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1
of filter_optional_*
filter_main_generic:
PipeName:
- \wkssvc
- \spoolss
- \scerpc
- \ntsvcs
- \SearchTextHarvester
- \PGMessagePipe
- \MsFteWds
filter_optional_websense:
Image|contains:
- :\Program Files\Websense\
- :\Program Files (x86)\Websense\
PipeName|startswith:
- \DserNamePipeR
- \DserNamePipeW
selection_malleable_profile_catalog_change_listener:
PipeName|endswith: -0,
PipeName|startswith: \Winsock2\CatalogChangeListener-
selection_malleable_profile_generic:
- PipeName|startswith:
- \DserNamePipe
- \f4c3
- \f53f
- \fullduplex_
- \mojo.5688.8052.183894939787088877
- \mojo.5688.8052.35780273329370473
- \MsFteWds
- \msrpc_
- \mypipe-f
- \mypipe-h
- \ntsvcs
- \PGMessagePipe
- \rpc_
- \scerpc
- \SearchTextHarvester
- \spoolss
- \win_svc
- \win\msrpc_
- \windows.update.manager
- \wkssvc
- PipeName:
- \demoagent_11
- \demoagent_22