heroui logo

CobaltStrike Named Pipe Patterns

Sigma Rules

View Source
Summary
This detection rule is designed to identify the creation of named pipes that are indicative of Cobalt Strike activity. Cobalt Strike is a legitimate penetration testing tool that is often misused by threat actors for command-and-control (C2) communications. The rule leverages specific patterns found in Cobalt Strike's malleable C2 profiles, which dictate the naming conventions for named pipes used for communication between the compromised host and the C2 server. The detection leverages Sysmon logs, specifically Event ID 17 (named pipe created) and Event ID 18, requiring proper Sysmon configuration to capture named pipe events. The rule outlines several named pipe patterns that, when created, trigger alerts. Special attention is given to filter out known benign instances (e.g., Chrome and Websense usage) to reduce false positives. The detection criteria include various starting and ending patterns of named pipes that are typically used by Cobalt Strike, ensuring a focused approach to monitoring for this specific threat vector.
Categories
  • Endpoint
  • Windows
Data Sources
  • Named Pipe
  • Process
Created: 2021-07-30