Detecting Cobalt Strike
Cobalt Strike is threat emulation software. It is a proprietary product used by... well who ever can afford it. However, it has been reverse engineered and some code leaked. Also, security researchers have extensively scrutinized it. For example, some people have noticed a pattern in Cobalt Strike use of Named Pipes.
When Cobalt Strike created a named pipe is tends to the following naming.
\\.\pipe\\MSSE-XXXX-server
\\.\pipe\\postex-XXXX-server
\\.\pipe\\msagent-XXXX-server
\\.\pipe\\statust-XXXX-server
Here the XXXX
is a random number from 0-9. Pattern matching on this is rather trivial using tools such as Sysmon.