Cmd Echo Pipe - Escalation

Cmd Echo Pipe - Escalation


This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via jump (Cobalt Strike PTH) or getsystem, using named-pipe impersonation. A suspicious event will look like cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53.


Cmd Echo Pipe - Escalation Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.


Open in Search