detection.wiki

Detection rules › Sigma

CobaltStrike Named Pipe Patterns

Severity
high
Author
Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
Source
upstream

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055 Process Injection
Defense EvasionT1055 Process Injection

Event coverage

ProviderEvent IDTitle
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: 1 of selection_malleable_profile_generic

or:
PipeName: '\demoagent_11'
PipeName: '\demoagent_22'
PipeName|startswith: '\DserNamePipe'
PipeName|startswith: '\MsFteWds'
PipeName|startswith: '\PGMessagePipe'
PipeName|startswith: '\SearchTextHarvester'
PipeName|startswith: '\f4c3'
PipeName|startswith: '\f53f'
PipeName|startswith: '\fullduplex_'
PipeName|startswith: '\mojo.5688.8052.183894939787088877'
PipeName|startswith: '\mojo.5688.8052.35780273329370473'
PipeName|startswith: '\msrpc_'
PipeName|startswith: '\mypipe-f'
PipeName|startswith: '\mypipe-h'
PipeName|startswith: '\ntsvcs'
PipeName|startswith: '\rpc_'
PipeName|startswith: '\scerpc'
PipeName|startswith: '\spoolss'
PipeName|startswith: '\win\msrpc_'
PipeName|startswith: '\win_svc'
PipeName|startswith: '\windows.update.manager'
PipeName|startswith: '\wkssvc'

Stage 2: 1 of selection_malleable_profile_catalog_change_listener

PipeName|endswith: '-0,'
PipeName|startswith: '\Winsock2\CatalogChangeListener-'

Stage 3: not 1 of filter_main_generic

PipeName: ['\MsFteWds', '\PGMessagePipe', '\SearchTextHarvester', '\ntsvcs', '\scerpc', '\spoolss', '\wkssvc']

Stage 4: not 1 of filter_optional_websense

or:
Image|contains: ':\Program Files (x86)\Websense\'
Image|contains: ':\Program Files\Websense\'
or:
PipeName|startswith: '\DserNamePipeR'
PipeName|startswith: '\DserNamePipeW'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imagematch
  • :\Program Files (x86)\Websense\
  • :\Program Files\Websense\
PipeNameends_with
  • -0,
PipeNameeq
  • \MsFteWds
  • \PGMessagePipe
  • \SearchTextHarvester
  • \demoagent_11
  • \demoagent_22
  • \ntsvcs
  • \scerpc
  • \spoolss
  • \wkssvc
PipeNamestarts_with
  • \DserNamePipe
  • \DserNamePipeR
  • \DserNamePipeW
  • \MsFteWds
  • \PGMessagePipe
  • \SearchTextHarvester
  • \Winsock2\CatalogChangeListener-
  • \f4c3
  • \f53f
  • \fullduplex_
  • \mojo.5688.8052.183894939787088877
  • \mojo.5688.8052.35780273329370473
  • \msrpc_
  • \mypipe-f
  • \mypipe-h
  • \ntsvcs
  • \rpc_
  • \scerpc
  • \spoolss
  • \win\msrpc_
  • \win_svc
  • \windows.update.manager
  • \wkssvc