Neo23x0
commented
5 years ago I'll add the msagent_ named pipe, but I am unsure about the status_ named pipe. My guess is that it would cause many false positives if it gets implemented as status_*.
Closed mschilt closed 5 years ago
Neo23x0
commented
5 years ago I'll add the msagent_ named pipe, but I am unsure about the status_ named pipe. My guess is that it would cause many false positives if it gets implemented as status_*.
mschilt
commented
5 years ago Don't think there will be a lot of FPs as long as its not *status_*.
Addition to sysmon_mal_namedpipes.yml:
CS default named pipes: msagent#number used by SMB Beacon's peer-to-peer communication. status#number used by SMB Beacon's named pipe stager
Ref: https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server-population-study/ https://www.cobaltstrike.com/help-malleable-c2