detection.wiki

Detection rules › Kusto Query Language

Suspicious named pipes

Source
upstream

This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1559 Inter-Process Communication
Privilege EscalationT1055 Process Injection
Defense EvasionT1055 Process Injection

Event coverage

ProviderEvent IDTitle
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Defender-DeviceEvents9007006Named pipe event

Stages and Predicates

Stage 1: source

DeviceEvents

Stage 2: where

 macro "(Timestamp >= ago(timeframe))"

Stage 3: where

ActionType eq "NamedPipeEvent"

Stage 4: extend

Stage 5: extend

Stage 6: extend

Stage 7: extend

Stage 8: extend

Stage 9: where

or
  and
    not
      or
        PipeName match "InitiatingPID"
        PipeName match "InitiatingParentPID"
        PipeName match "ThreadId"
        PipeName regex_match "\\\\(edge|chrome|edge\\.sync|chrome\\.sync)\\.\\d+\\.\\d+\\.\\d+$"
    PipeName regex_match "\\\\(edge|chrome)\\.sync\\.\\d+\\.\\d+\\."
  and
    not
      or
        PipeName match "InitiatingPID"
        PipeName match "InitiatingParentPID"
        PipeName match "ThreadId"
        PipeName regex_match "\\\\mojo\\.\\d+\\.\\d+\\.\\d+$"
    PipeName regex_match "\\\\mojo\\.\\d+\\.\\d+\\."
  and
    not
      or
        PipeName match "InitiatingPID"
        PipeName match "InitiatingParentPID"
        PipeName regex_match "\\\\PSHost\\.\\d+\\.\\d+\\."
    PipeName regex_match "\\\\PSHost\\.\\d+\\."
  and
    not
      or
        PipeName match "InitiatingPID"
        PipeName match "InitiatingParentPID"
        PipeName regex_match "\\\\crashpad_\\d+_[A-Z]+"
    PipeName regex_match "\\\\crashpad_"
  and
    not
      or
        PipeName match "InitiatingPID"
        PipeName regex_match "\\\\cubeb-pipe-\\d+_[0-9]{1-3}+"
    PipeName regex_match "\\\\cubeb-pipe-"
  and
    PipeName match "CobaltStrikeMallable"
    PipeName regex_match "[a-fA-F0-9]{2,10}$"
  PipeName match "CobaltStrikeDefaults"
  PipeName regex_match "\\\\pipe\\\\[0-9a-f]{7,10}"
  PipeName regex_match "\\\\pipe\\\\[0-9a-f]{8}"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ActionTypeeq
  • NamedPipeEvent
PipeNamematch
  • CobaltStrikeDefaults
  • CobaltStrikeMallable
PipeNameregex_match
  • [a-fA-F0-9]{2,10}$
  • \\(edge|chrome)\.sync\.\d+\.\d+\.
  • \\PSHost\.\d+\.
  • \\crashpad_
  • \\cubeb-pipe-
  • \\mojo\.\d+\.\d+\.
  • \\pipe\\[0-9a-f]{7,10}
  • \\pipe\\[0-9a-f]{8}