107 lines
3.8 KiB
YAML
107 lines
3.8 KiB
YAML
title: CobaltStrike Named Pipe Patterns
|
|
author: Florian Roth, Christian Burkard
|
|
date: 2021/07/30
|
|
description: Detects the creation of a named pipe with a pattern found in CobaltStrike
|
|
malleable C2 profiles
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 17
|
|
SELECTION_10:
|
|
PipeName: \spoolss*
|
|
SELECTION_11:
|
|
PipeName: \msrpc_*
|
|
SELECTION_12:
|
|
PipeName: \win\msrpc_*
|
|
SELECTION_13:
|
|
PipeName: \wkssvc*
|
|
SELECTION_14:
|
|
PipeName: \f53f*
|
|
SELECTION_15:
|
|
PipeName: \windows.update.manager*
|
|
SELECTION_16:
|
|
PipeName: \SearchTextHarvester*
|
|
SELECTION_17:
|
|
PipeName: \DserNamePipe*
|
|
SELECTION_18:
|
|
PipeName: \PGMessagePipe*
|
|
SELECTION_19:
|
|
PipeName: \MsFteWds*
|
|
SELECTION_2:
|
|
EventID: 18
|
|
SELECTION_20:
|
|
PipeName: \f4c3*
|
|
SELECTION_21:
|
|
PipeName: \fullduplex_*
|
|
SELECTION_22:
|
|
PipeName: \rpc_*
|
|
SELECTION_23:
|
|
PipeName: \demoagent_11
|
|
SELECTION_24:
|
|
PipeName: \demoagent_22
|
|
SELECTION_25:
|
|
PipeName: \Winsock2\CatalogChangeListener-*
|
|
SELECTION_26:
|
|
PipeName: '*-0,'
|
|
SELECTION_27:
|
|
PipeName: \wkssvc
|
|
SELECTION_28:
|
|
PipeName: \spoolss
|
|
SELECTION_29:
|
|
PipeName: \scerpc
|
|
SELECTION_3:
|
|
PipeName: \mojo.5688.8052.183894939787088877*
|
|
SELECTION_30:
|
|
PipeName: \ntsvcs
|
|
SELECTION_31:
|
|
PipeName: \SearchTextHarvester
|
|
SELECTION_32:
|
|
PipeName: \PGMessagePipe
|
|
SELECTION_33:
|
|
PipeName: \MsFteWds
|
|
SELECTION_4:
|
|
PipeName: \mojo.5688.8052.35780273329370473*
|
|
SELECTION_5:
|
|
PipeName: \mypipe-f*
|
|
SELECTION_6:
|
|
PipeName: \mypipe-h*
|
|
SELECTION_7:
|
|
PipeName: \ntsvcs*
|
|
SELECTION_8:
|
|
PipeName: \scerpc*
|
|
SELECTION_9:
|
|
PipeName: \win_svc*
|
|
condition: ((SELECTION_1 or SELECTION_2) and (((SELECTION_3 or SELECTION_4 or
|
|
SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
|
|
SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
|
|
or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
|
|
or SELECTION_20 or SELECTION_21 or SELECTION_22) or (SELECTION_23 or SELECTION_24))
|
|
or (SELECTION_25 and SELECTION_26)) and not ((SELECTION_27 or SELECTION_28
|
|
or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33)))
|
|
falsepositives:
|
|
- Chrome instances using the exactly same name pipe named mojo.something
|
|
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
|
|
level: high
|
|
logsource:
|
|
category: pipe_created
|
|
definition: Note that you have to configure logging for Named Pipe Events in Sysmon
|
|
config (Event ID 17 and Event ID 18). The basic configuration is in popular
|
|
sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
|
|
it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
|
|
https://github.com/olafhartong/sysmon-modular You can also use other repo,
|
|
e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
|
|
How to test detection? You can always use Cobalt Strike, but also you can
|
|
check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
|
|
product: windows
|
|
modified: 2021/08/26
|
|
references:
|
|
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
|
|
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
- attack.t1055
|
|
yml_filename: sysmon_susp_cobaltstrike_pipe_patterns.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
|
|
|