cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Follow the latest information and updates available on the FireEye and SolarWinds situations here.

SMB named pipe based C2/LM activity indicator

Description: This query looks for the default named pipes used by the most common C2/LM tools. 

What The Data Shows: It provides visibility on to the processes which are known to utilise named pipes used by most common C2/LM tools. 

Currently this flags existence of default SMB pipes used by for Metasploit, PsExec, Remcom, Covenant, CobaltStrike , CSEXEC, PoshC2 and EmpirePS. 

SQL:   SELECT * from pipes WHERE name LIKE 'psexesvc%' OR name LIKE 'remcom%' OR name LIKE 'gruntsvc%' OR name LIKE 'msagent%' OR name LIKE 'status%' OR name LIKE 'csexecsvc%' OR name LIKE 'TestSVC%' OR name LIKE 'jaccdpqnvbrrxlaf' OR name LIKE 'Posh%';

 

 

6 Comments
Carbon Black Employee
Status changed to: Approved
 
New Contributor

hi

Contributor

I've updated to include PoshC2 :)

Carbon Black Employee

Sweet!

New Contributor II

Is there a way to detect this using carbon black watchlist ?

Carbon Black Employee

@LazadaSecOps if you are using Carbon Black EDR (CB Response), on-prem or cloud, then you could find all named pipes with:

filemod:pipe

You could then add addition logic to that query to achieve what is shown in this post.

If you are using Carbon Black Enterprise EDR (CB THreathunter), then named pipes are not currently tracked, but should be coming soon.