Forked from svch0stz/Cobalt Strike Named Pipe Regex.csv
Created
September 16, 2021 17:20
-
-
Save cbresponse/779555f4adfb1b7f6d320719cd88fdff to your computer and use it in GitHub Desktop.
Cobalt Strike Named Pipe Regex
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regex | Source | |
|---|---|---|
| MSSE-[0-9a-f]{3}-server | Default Cobalt Strike Artifact Kit binaries | |
| status_[0-9a-f]{2} | Default psexec_psh | |
| postex_ssh_[0-9a-f]{4} | Default SSH beacon | |
| msagent_[0-9a-f]{2} | Default SMB beacon | |
| postex_[0-9a-f]{4} | Default Post Exploitation job (v4.2+) | |
| mojo.5688.8052.183894939787088877[0-9a-f]{2} | jquery-c2.4.2.profile | |
| mojo.5688.8052.35780273329370473[0-9a-f]{2} | jquery-c2.4.2.profile | |
| wkssvc[0-9a-f]{2} | jquery-c2.4.2.profile | |
| ntsvcs[0-9a-f]{2} | trick_ryuk.profile | |
| DserNamePipe[0-9a-f]{2} | trick_ryuk.profile | |
| SearchTextHarvester[0-9a-f]{2} | trick_ryuk.profile | |
| ntsvcs | zloader.profile | |
| scerpc | zloader.profile | |
| mypipe-f[0-9a-f]{2} | havex.profile | |
| mypipe-h[0-9a-f]{2} | havex.profile | |
| windows.update.manager[0-9a-f]{2} | windows-updates.profile | |
| windows.update.manager[0-9a-f]{3} | windows-updates.profile | |
| ntsvcs_[0-9a-f]{2} | salesforce_api.profile | |
| scerpc_[0-9a-f]{2} | salesforce_api.profile | |
| scerpc[0-9a-f]{2} | zoom.profile | |
| ntsvcs[0-9a-f]{2} | zoom.profile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment