CobaltStrike NamedPipe Patterns

https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
2024-11-07 09:48:58 +00:00 · 2021-07-30 07:11:11 +02:00 · 2021-07-30 07:11:11 +02:00 · 0cbb6f82ad
commit 0cbb6f82ad
parent ec9c15226f
2 changed files with 65 additions and 0 deletions
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
@ -0,0 +1,36 @@
+title: CobaltStrike Named Pipe Pattern Regex
+id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
+status: experimental
+description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
+references:
+    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+date: 2021/07/30
+author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
+logsource:
+   product: windows
+   category: pipe_created
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+detection:
+   selection_re:
+      PipeName|re:
+         - '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
+         - '\\mojo.5688.8052.35780273329370473[0-9a-f]{2}'
+         - '\\wkssvc[0-9a-f]{2}'
+         - '\\ntsvcs[0-9a-f]{2}'
+         - '\\DserNamePipe[0-9a-f]{2}'
+         - '\\SearchTextHarvester[0-9a-f]{2}'
+         - '\\mypipe-f[0-9a-f]{2}'
+         - '\\mypipe-h[0-9a-f]{2}'
+         - '\\windows.update.manager[0-9a-f]{2}'
+         - '\\windows.update.manager[0-9a-f]{3}'
+         - '\\ntsvcs_[0-9a-f]{2}'
+         - '\\scerpc_[0-9a-f]{2}'
+         - '\\scerpc[0-9a-f]{2}'
+   condition: selection_re
+falsepositives:
+   - Unknown
+level: critical
--- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
+++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
@ -0,0 +1,29 @@
+title: CobaltStrike Named Pipe Patterns
+id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
+status: experimental
+description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
+references:
+    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+date: 2021/07/30
+author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
+logsource:
+   product: windows
+   category: pipe_created
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+detection:
+   selection_malleable_profiles:
+      PipeName|startswith:
+         - '\mojo.5688.8052.183894939787088877'
+         - '\mojo.5688.8052.35780273329370473'
+         - '\mypipe-f'
+         - '\mypipe-h'
+         - '\ntsvcs_'
+         - '\scerpc_'
+   condition: 1 of them
+falsepositives:
+   - Chrome instances using the exactly same name pipe named mojo.something
+level: high