Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cobalt Strike Default Pipes #253

Closed
mschilt opened this issue Feb 21, 2019 · 2 comments
Closed

Cobalt Strike Default Pipes #253

mschilt opened this issue Feb 21, 2019 · 2 comments

Comments

@mschilt
Copy link

mschilt commented Feb 21, 2019
edited

Addition to sysmon_mal_namedpipes.yml:

CS default named pipes:
msagent_#number used by SMB Beacon's peer-to-peer communication.
status_#number used by SMB Beacon's named pipe stager

Ref:
https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server-population-study/
https://www.cobaltstrike.com/help-malleable-c2
@Neo23x0
Copy link
Collaborator

Neo23x0 commented Feb 21, 2019

I'll add the msagent_ named pipe, but I am unsure about the status_ named pipe. My guess is that it would cause many false positives if it gets implemented as status_*.

Neo23x0 pushed a commit that referenced this issue Feb 21, 2019
Rule: suspicious pipes extended
d3b623e 
#253
@mschilt
Copy link
Author

mschilt commented Feb 25, 2019

Don't think there will be a lot of FPs as long as its not *status_*.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thomaspatzke @Neo23x0 @mschilt