Skip to content

Instantly share code, notes, and snippets.

@svch0stz
Last active October 21, 2024 13:54
Show Gist options
  • Save svch0stz/c3288929c0e83eacdd558190b047df6e to your computer and use it in GitHub Desktop.
Save svch0stz/c3288929c0e83eacdd558190b047df6e to your computer and use it in GitHub Desktop.
Cobalt Strike Named Pipe Regex
Regex Source
MSSE-[0-9a-f]{3}-server Default Cobalt Strike Artifact Kit binaries
status_[0-9a-f]{2} Default psexec_psh
postex_ssh_[0-9a-f]{4} Default SSH beacon
msagent_[0-9a-f]{2} Default SMB beacon
postex_[0-9a-f]{4} Default Post Exploitation job (v4.2+)
mojo.5688.8052.183894939787088877[0-9a-f]{2} jquery-c2.4.2.profile
mojo.5688.8052.35780273329370473[0-9a-f]{2} jquery-c2.4.2.profile
wkssvc[0-9a-f]{2} jquery-c2.4.2.profile
ntsvcs[0-9a-f]{2} trick_ryuk.profile
DserNamePipe[0-9a-f]{2} trick_ryuk.profile
SearchTextHarvester[0-9a-f]{2} trick_ryuk.profile
ntsvcs zloader.profile
scerpc zloader.profile
mypipe-f[0-9a-f]{2} havex.profile
mypipe-h[0-9a-f]{2} havex.profile
windows.update.manager[0-9a-f]{2} windows-updates.profile
windows.update.manager[0-9a-f]{3} windows-updates.profile
ntsvcs_[0-9a-f]{2} salesforce_api.profile
scerpc_[0-9a-f]{2} salesforce_api.profile
scerpc[0-9a-f]{2} zoom.profile
ntsvcs[0-9a-f]{2} zoom.profile
@blueteam0ps
Copy link

blueteam0ps commented May 3, 2022

MSSE-[0-9a-f]{3}-server should be 4 alpha-numeric not 3

@svch0stz
Copy link
Author

svch0stz commented May 3, 2022

MSSE-[0-9a-f]{3}-server should be 4 alpha-numeric not 3

I think I've seen both, but updated to include 4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment