LoFP LoFP / websense endpoint using the pipe name \"dsernamepipe(r|w)\d{1,5}\"

Techniques

Sample rules

CobaltStrike Named Pipe Patterns

Description

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Detection logic

condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1
  of filter_optional_*
filter_main_generic:
  PipeName:
  - \wkssvc
  - \spoolss
  - \scerpc
  - \ntsvcs
  - \SearchTextHarvester
  - \PGMessagePipe
  - \MsFteWds
filter_optional_websense:
  Image|contains:
  - :\Program Files\Websense\
  - :\Program Files (x86)\Websense\
  PipeName|startswith:
  - \DserNamePipeR
  - \DserNamePipeW
selection_malleable_profile_catalog_change_listener:
  PipeName|endswith: -0,
  PipeName|startswith: \Winsock2\CatalogChangeListener-
selection_malleable_profile_generic:
- PipeName|startswith:
  - \DserNamePipe
  - \f4c3
  - \f53f
  - \fullduplex_
  - \mojo.5688.8052.183894939787088877
  - \mojo.5688.8052.35780273329370473
  - \MsFteWds
  - \msrpc_
  - \mypipe-f
  - \mypipe-h
  - \ntsvcs
  - \PGMessagePipe
  - \rpc_
  - \scerpc
  - \SearchTextHarvester
  - \spoolss
  - \win_svc
  - \win\msrpc_
  - \windows.update.manager
  - \wkssvc
- PipeName:
  - \demoagent_11
  - \demoagent_22