mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
CobaltStrike NamedPipe Patterns
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
This commit is contained in:
parent
ec9c15226f
commit
0cbb6f82ad
36
rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
Normal file
36
rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
Normal file
@ -0,0 +1,36 @@
|
||||
title: CobaltStrike Named Pipe Pattern Regex
|
||||
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
|
||||
status: experimental
|
||||
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
|
||||
references:
|
||||
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
|
||||
date: 2021/07/30
|
||||
author: Florian Roth
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.privilege_escalation
|
||||
- attack.t1055
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
|
||||
detection:
|
||||
selection_re:
|
||||
PipeName|re:
|
||||
- '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
|
||||
- '\\mojo.5688.8052.35780273329370473[0-9a-f]{2}'
|
||||
- '\\wkssvc[0-9a-f]{2}'
|
||||
- '\\ntsvcs[0-9a-f]{2}'
|
||||
- '\\DserNamePipe[0-9a-f]{2}'
|
||||
- '\\SearchTextHarvester[0-9a-f]{2}'
|
||||
- '\\mypipe-f[0-9a-f]{2}'
|
||||
- '\\mypipe-h[0-9a-f]{2}'
|
||||
- '\\windows.update.manager[0-9a-f]{2}'
|
||||
- '\\windows.update.manager[0-9a-f]{3}'
|
||||
- '\\ntsvcs_[0-9a-f]{2}'
|
||||
- '\\scerpc_[0-9a-f]{2}'
|
||||
- '\\scerpc[0-9a-f]{2}'
|
||||
condition: selection_re
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
@ -0,0 +1,29 @@
|
||||
title: CobaltStrike Named Pipe Patterns
|
||||
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
|
||||
status: experimental
|
||||
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
|
||||
references:
|
||||
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
|
||||
date: 2021/07/30
|
||||
author: Florian Roth
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.privilege_escalation
|
||||
- attack.t1055
|
||||
logsource:
|
||||
product: windows
|
||||
category: pipe_created
|
||||
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
|
||||
detection:
|
||||
selection_malleable_profiles:
|
||||
PipeName|startswith:
|
||||
- '\mojo.5688.8052.183894939787088877'
|
||||
- '\mojo.5688.8052.35780273329370473'
|
||||
- '\mypipe-f'
|
||||
- '\mypipe-h'
|
||||
- '\ntsvcs_'
|
||||
- '\scerpc_'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Chrome instances using the exactly same name pipe named mojo.something
|
||||
level: high
|
Loading…
Reference in New Issue
Block a user