Built off the open source project Osquery
Description: This query looks for the default named pipes used by the most common C2/LM tools.
What The Data Shows: It provides visibility on to the processes which are known to utilise named pipes used by most common C2/LM tools.
Currently this flags existence of default SMB pipes used by for Metasploit, PsExec, Remcom, Covenant, CobaltStrike , CSEXEC, PoshC2 and EmpirePS.
SQL: SELECT * from pipes WHERE name LIKE 'psexesvc%' OR name LIKE 'remcom%' OR name LIKE 'gruntsvc%' OR name LIKE 'msagent%' OR name LIKE 'status%' OR name LIKE 'csexecsvc%' OR name LIKE 'TestSVC%' OR name LIKE 'jaccdpqnvbrrxlaf' OR name LIKE 'Posh%';
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.