Detecting Cobalt Strike

Cobalt Strike is threat emulation software. It is a proprietary product used by... well who ever can afford it. However, it has been reverse engineered and some code leaked. Also, security researchers have extensively scrutinized it. For example, some people have noticed a pattern in Cobalt Strike use of Named Pipes.
When Cobalt Strike created a named pipe is tends to the following naming.

\\.\pipe\\MSSE-XXXX-server
\\.\pipe\\postex-XXXX-server
\\.\pipe\\msagent-XXXX-server
\\.\pipe\\statust-XXXX-server

Here the XXXX is a random number from 0-9. Pattern matching on this is rather trivial using tools such as Sysmon.

Read more