Hunting for default pipe names used by Cobalt Strike

Copper Contributor

Here is a KQL query I've set up as a Sentinel Alert that has been working very well to identify Cobalt Strike beacons. Some of these pipe names are difficult to change (requires the threat actor to modify the ArtifactKit code and recompile), and in actual practice, it appears that threat actors do not bother to change them.

Sysmon
| where EventID in (17,18)
| where pipe_name has "\\postex_" 
  or pipe_name matches regex "MSSE-\\d+-server"
  or pipe_name matches regex "status_\\d+"
  or pipe_name matches regex "msagent_\\d+"
| extend HostCustomEntity = Computer
0 Replies