Detection rules › Sigma
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: 1 of selection_MSSE
PipeName|contains: -server
PipeName|contains: '\MSSE-'
Stage 2: 1 of selection_postex
PipeName|startswith: '\postex_'
Stage 3: 1 of selection_status
PipeName|startswith: '\status_'
Stage 4: 1 of selection_msagent
PipeName|startswith: '\msagent_'
Stage 5: 1 of selection_mojo
PipeName|startswith: '\mojo_'
Stage 6: 1 of selection_interprocess
PipeName|startswith: '\interprocess_'
Stage 7: 1 of selection_samr
PipeName|startswith: '\samr_'
Stage 8: 1 of selection_netlogon
PipeName|startswith: '\netlogon_'
Stage 9: 1 of selection_srvsvc
PipeName|startswith: '\srvsvc_'
Stage 10: 1 of selection_lsarpc
PipeName|startswith: '\lsarpc_'
Stage 11: 1 of selection_wkssvc
PipeName|startswith: '\wkssvc_'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
PipeName | match |
|
PipeName | starts_with |
|