cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

SMB named pipe based C2/LM activity indicator

Description: This query looks for the default named pipes used by the most common C2/LM tools. 

What The Data Shows: It provides visibility on to the processes which are known to utilise named pipes used by most common C2/LM tools. 

Currently this flags existence of default SMB pipes used by for Metasploit, PsExec, Remcom, Covenant, CobaltStrike , CSEXEC, PoshC2 and EmpirePS. 

SQL:   SELECT * from pipes WHERE name LIKE 'psexesvc%' OR name LIKE 'remcom%' OR name LIKE 'gruntsvc%' OR name LIKE 'msagent%' OR name LIKE 'status%' OR name LIKE 'csexecsvc%' OR name LIKE 'TestSVC%' OR name LIKE 'jaccdpqnvbrrxlaf' OR name LIKE 'Posh%';

 

 

4 Comments
Carbon Black Employee
Status changed to: Approved
 
New Contributor

hi

Contributor

I've updated to include PoshC2 :)

Carbon Black Employee

Sweet!