title: CobaltStrike Named Pipe Pattern Regex
author: Florian Roth
date: 2021/07/30
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
  Malleable C2 profiles
detection:
  SELECTION_1:
    EventID: 17
  SELECTION_10:
    PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
  SELECTION_11:
    PipeName|re: \\\\scerpc_?[0-9a-f]{2}
  SELECTION_12:
    PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
  SELECTION_13:
    PipeName|re: \\\\MsFteWds[0-9a-f]{2}
  SELECTION_14:
    PipeName|re: \\\\f4c3[0-9a-f]{2}
  SELECTION_15:
    PipeName|re: \\\\fullduplex_[0-9a-f]{2}
  SELECTION_16:
    PipeName|re: \\\\msrpc_[0-9a-f]{4}
  SELECTION_17:
    PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
  SELECTION_18:
    PipeName|re: \\\\f53f[0-9a-f]{2}
  SELECTION_19:
    PipeName|re: \\\\rpc_[0-9a-f]{2}
  SELECTION_2:
    EventID: 18
  SELECTION_20:
    PipeName|re: \\\\spoolss_[0-9a-f]{2}
  SELECTION_21:
    PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
  SELECTION_3:
    PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
  SELECTION_4:
    PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
  SELECTION_5:
    PipeName|re: \\\\ntsvcs[0-9a-f]{2}
  SELECTION_6:
    PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
  SELECTION_7:
    PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
  SELECTION_8:
    PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
  SELECTION_9:
    PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
    SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
    SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or
    SELECTION_21))
falsepositives:
- Unknown
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
level: critical
logsource:
  category: pipe_created
  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
    config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
    configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
    verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
    https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g.
    https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
    How to test detection? You can always use Cobalt Strike, but also you can check
    powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
  product: windows
modified: 2021/09/02
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
ruletype: SIGMA