rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml

title: CobaltStrike Named Pipe Patterns
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
status: experimental
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
date: 2021/07/30
modified: 2021/08/26
author: Florian Roth, Christian Burkard
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
   selection_malleable_profiles:
      - PipeName|startswith:
         - '\mojo.5688.8052.183894939787088877'
         - '\mojo.5688.8052.35780273329370473'
         - '\mypipe-f'
         - '\mypipe-h'
         - '\ntsvcs'
         - '\scerpc'
         - '\win_svc'
         - '\spoolss'
         - '\msrpc_'
         - '\win\msrpc_'
         - '\wkssvc'
         - '\f53f'
         - '\windows.update.manager'
         - '\SearchTextHarvester'
         - '\DserNamePipe'
         - '\PGMessagePipe'
         - '\MsFteWds'
         - '\f4c3'
         - '\fullduplex_'
         - '\rpc_'
      - PipeName:
         - '\demoagent_11'
         - '\demoagent_22'
   selection_malleable_profile_CatalogChangeListener:
      PipeName|startswith: '\Winsock2\CatalogChangeListener-'
      PipeName|endswith: '-0,'
   filter:
      PipeName:
         - '\wkssvc'
         - '\spoolss'
         - '\scerpc'
         - '\ntsvcs'
         - '\SearchTextHarvester'
         - '\PGMessagePipe'
         - '\MsFteWds'
   condition: 1 of selection_malleable_profile* and not filter
falsepositives:
   - Chrome instances using the exactly same name pipe named mojo.something
level: high
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`title: CobaltStrike Named Pipe Patterns`
			`id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7`
			`status: experimental`
			`description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles`
			`references:`
			`- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575`
More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:30 +02:00			`- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752`
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`date: 2021/07/30`
More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:30 +02:00			`modified: 2021/08/26`
Try to add more pipe names to this non-regex rule 2021-08-26 14:00:57 +02:00			`author: Florian Roth, Christian Burkard`
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`tags:`
			`- attack.defense_evasion`
			`- attack.privilege_escalation`
			`- attack.t1055`
			`logsource:`
			`product: windows`
			`category: pipe_created`
docs: note to improved sysmon config 2021-09-01 13:07:18 +02:00			`definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'`
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`detection:`
			`selection_malleable_profiles:`
More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:30 +02:00			`- PipeName\|startswith:`
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`- '\mojo.5688.8052.183894939787088877'`
			`- '\mojo.5688.8052.35780273329370473'`
			`- '\mypipe-f'`
			`- '\mypipe-h'`
add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00			`- '\ntsvcs'`
			`- '\scerpc'`
More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:30 +02:00			`- '\win_svc'`
add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00			`- '\spoolss'`
Try to add more pipe names to this non-regex rule 2021-08-26 14:00:57 +02:00			`- '\msrpc_'`
			`- '\win\msrpc_'`
add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00			`- '\wkssvc'`
			`- '\f53f'`
			`- '\windows.update.manager'`
			`- '\SearchTextHarvester'`
			`- '\DserNamePipe'`
			`- '\PGMessagePipe'`
			`- '\MsFteWds'`
			`- '\f4c3'`
			`- '\fullduplex_'`
			`- '\rpc_'`
More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:30 +02:00			`- PipeName:`
			`- '\demoagent_11'`
			`- '\demoagent_22'`
add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00			`selection_malleable_profile_CatalogChangeListener:`
			`PipeName\|startswith: '\Winsock2\CatalogChangeListener-'`
			`PipeName\|endswith: '-0,'`
			`filter:`
			`PipeName:`
			`- '\wkssvc'`
			`- '\spoolss'`
			`- '\scerpc'`
			`- '\ntsvcs'`
			`- '\SearchTextHarvester'`
			`- '\PGMessagePipe'`
			`- '\MsFteWds'`
			`condition: 1 of selection_malleable_profile* and not filter`
CobaltStrike NamedPipe Patterns 2021-07-30 07:11:11 +02:00			`falsepositives:`
			`- Chrome instances using the exactly same name pipe named mojo.something`
			`level: high`