The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

SMB named pipe based C2/LM activity indicator

Description: This query looks for the default named pipes used by the most common C2/LM tools. 

What The Data Shows: It provides visibility on to the processes which are known to utilise named pipes used by most common C2/LM tools. 

Currently this flags existence of default SMB pipes used by for Metasploit, PsExec, Remcom, Covenant, CobaltStrike , CSEXEC, PoshC2 and EmpirePS. 

SQL:   SELECT * from pipes WHERE name LIKE 'psexesvc%' OR name LIKE 'remcom%' OR name LIKE 'gruntsvc%' OR name LIKE 'msagent%' OR name LIKE 'status%' OR name LIKE 'csexecsvc%' OR name LIKE 'TestSVC%' OR name LIKE 'jaccdpqnvbrrxlaf' OR name LIKE 'Posh%';

 

 

6 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
mrcyberwarrior
New Contributor

hi

jaydelcic
Contributor

I've updated to include PoshC2 :)

jnelson
Carbon Black Employee

Sweet!

LazadaSecOps
New Contributor II

Is there a way to detect this using carbon black watchlist ?

jnelson
Carbon Black Employee

@LazadaSecOps if you are using Carbon Black EDR (CB Response), on-prem or cloud, then you could find all named pipes with:

filemod:pipe

You could then add addition logic to that query to achieve what is shown in this post.

If you are using Carbon Black Enterprise EDR (CB THreathunter), then named pipes are not currently tracked, but should be coming soon.