CobaltStrike NamedPipe Patterns

https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
2024-11-07 09:48:58 +00:00 · 2021-07-30 07:11:11 +02:00 · 2021-07-30 07:11:11 +02:00 · 0cbb6f82ad
commit 0cbb6f82ad
parent ec9c15226f
2 changed files with 65 additions and 0 deletions
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
@ -0,0 +1,36 @@
 title: CobaltStrike Named Pipe Pattern Regex
 id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
 status: experimental
 description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
 references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 date: 2021/07/30
 author: Florian Roth
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
 logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
 detection:
   selection_re:
      PipeName|re:
         - '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
         - '\\mojo.5688.8052.35780273329370473[0-9a-f]{2}'
         - '\\wkssvc[0-9a-f]{2}'
         - '\\ntsvcs[0-9a-f]{2}'
         - '\\DserNamePipe[0-9a-f]{2}'
         - '\\SearchTextHarvester[0-9a-f]{2}'
         - '\\mypipe-f[0-9a-f]{2}'
         - '\\mypipe-h[0-9a-f]{2}'
         - '\\windows.update.manager[0-9a-f]{2}'
         - '\\windows.update.manager[0-9a-f]{3}'
         - '\\ntsvcs_[0-9a-f]{2}'
         - '\\scerpc_[0-9a-f]{2}'
         - '\\scerpc[0-9a-f]{2}'
   condition: selection_re
 falsepositives:
   - Unknown
 level: critical
--- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
+++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
@ -0,0 +1,29 @@
 title: CobaltStrike Named Pipe Patterns
 id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
 status: experimental
 description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
 references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 date: 2021/07/30
 author: Florian Roth
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
 logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
 detection:
   selection_malleable_profiles:
      PipeName|startswith:
         - '\mojo.5688.8052.183894939787088877'
         - '\mojo.5688.8052.35780273329370473'
         - '\mypipe-f'
         - '\mypipe-h'
         - '\ntsvcs_'
         - '\scerpc_'
   condition: 1 of them
 falsepositives:
   - Chrome instances using the exactly same name pipe named mojo.something
 level: high