Query Details
Cobalt Strike C2
Query
Sysmon | where EventID in (17,18) | where pipe_name has "\\postex_" or pipe_name matches regex "MSSE-\\d+-server" or pipe_name matches regex "status_\\d+" or pipe_name matches regex "msagent_\\d+" | extend HostCustomEntity = Computer
Explanation
This query is looking for events with EventID 17 or 18 in the Sysmon table. It then filters the results based on the pipe_name field, looking for values that contain "\postex_", match the regex pattern "MSSE-\d+-server", match the regex pattern "status_\d+", or match the regex pattern "msagent_\d+". Finally, it adds a new column called HostCustomEntity which contains the value of the Computer field.
Details
User Submission
Released: October 25, 2023
Tables
Sysmon
Keywords
Sysmon,EventID,pipe_name,\\postex_,MSSE-\\d+-server,status_\\d+,msagent_\\d+,HostCustomEntity,Computer
Operators
whereinhasmatches regexorextend