Showing Posts From

• Riccardo Ancarani
• 20 Nov 2020

Detecting Cobalt Strike Default Modules via Named Pipe Analysis

A technical analysis of Cobalt Strike's default modules reveals distinctive named and anonymous pipe communication patterns. The article explores how Cobalt Strike uses pipes for inter-process communication during post-exploitation activities like keylogging and screenshot capture. Detection techniques are proposed, including Yara rules and Splunk searches to identify these unique pipe characteristics.

• Alfie Champion James Coote
• 2 Nov 2020

Using and detecting C2 printer pivoting

A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.