CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

80 lines
2.9 KiB
YAML
Raw Blame History

title: CobaltStrike Named Pipe Pattern Regex
author: Florian Roth
date: 2021/07/30
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
Malleable C2 profiles
detection:
SELECTION_1:
EventID: 17
SELECTION_10:
PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
SELECTION_11:
PipeName|re: \\\\scerpc_?[0-9a-f]{2}
SELECTION_12:
PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
SELECTION_13:
PipeName|re: \\\\MsFteWds[0-9a-f]{2}
SELECTION_14:
PipeName|re: \\\\f4c3[0-9a-f]{2}
SELECTION_15:
PipeName|re: \\\\fullduplex_[0-9a-f]{2}
SELECTION_16:
PipeName|re: \\\\msrpc_[0-9a-f]{4}
SELECTION_17:
PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
SELECTION_18:
PipeName|re: \\\\f53f[0-9a-f]{2}
SELECTION_19:
PipeName|re: \\\\rpc_[0-9a-f]{2}
SELECTION_2:
EventID: 18
SELECTION_20:
PipeName|re: \\\\spoolss_[0-9a-f]{2}
SELECTION_21:
PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
SELECTION_3:
PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
SELECTION_4:
PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
SELECTION_5:
PipeName|re: \\\\ntsvcs[0-9a-f]{2}
SELECTION_6:
PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
SELECTION_7:
PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
SELECTION_8:
PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
SELECTION_9:
PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or
SELECTION_21))
falsepositives:
- Unknown
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
level: critical
logsource:
category: pipe_created
definition: Note that you have to configure logging for Named Pipe Events in Sysmon
config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon
configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth
verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g.
https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
How to test detection? You can always use Cobalt Strike, but also you can check
powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
product: windows
modified: 2021/09/02
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink