title: CobaltStrike Named Pipe Patterns author: Florian Roth, Christian Burkard date: 2021/07/30 description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles detection: SELECTION_1: EventID: 17 SELECTION_10: PipeName: \spoolss* SELECTION_11: PipeName: \msrpc_* SELECTION_12: PipeName: \win\msrpc_* SELECTION_13: PipeName: \wkssvc* SELECTION_14: PipeName: \f53f* SELECTION_15: PipeName: \windows.update.manager* SELECTION_16: PipeName: \SearchTextHarvester* SELECTION_17: PipeName: \DserNamePipe* SELECTION_18: PipeName: \PGMessagePipe* SELECTION_19: PipeName: \MsFteWds* SELECTION_2: EventID: 18 SELECTION_20: PipeName: \f4c3* SELECTION_21: PipeName: \fullduplex_* SELECTION_22: PipeName: \rpc_* SELECTION_23: PipeName: \demoagent_11 SELECTION_24: PipeName: \demoagent_22 SELECTION_25: PipeName: \Winsock2\CatalogChangeListener-* SELECTION_26: PipeName: '*-0,' SELECTION_27: PipeName: \wkssvc SELECTION_28: PipeName: \spoolss SELECTION_29: PipeName: \scerpc SELECTION_3: PipeName: \mojo.5688.8052.183894939787088877* SELECTION_30: PipeName: \ntsvcs SELECTION_31: PipeName: \SearchTextHarvester SELECTION_32: PipeName: \PGMessagePipe SELECTION_33: PipeName: \MsFteWds SELECTION_4: PipeName: \mojo.5688.8052.35780273329370473* SELECTION_5: PipeName: \mypipe-f* SELECTION_6: PipeName: \mypipe-h* SELECTION_7: PipeName: \ntsvcs* SELECTION_8: PipeName: \scerpc* SELECTION_9: PipeName: \win_svc* condition: ((SELECTION_1 or SELECTION_2) and (((SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22) or (SELECTION_23 or SELECTION_24)) or (SELECTION_25 and SELECTION_26)) and not ((SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33))) falsepositives: - Chrome instances using the exactly same name pipe named mojo.something id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 level: high logsource: category: pipe_created definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 product: windows modified: 2021/08/26 references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 status: experimental tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 yml_filename: sysmon_susp_cobaltstrike_pipe_patterns.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created