{ "id": "2730cf85-0be4-4060-8adb-79ecd490bc72", "created_at": "2026-04-06T00:21:06.149737Z", "updated_at": "2026-04-10T03:24:24.189755Z", "deleted_at": null, "sha1_hash": "a953c983ef09ac3b82dbcc2a84a42b2383dea487", "title": "Guide to Named Pipes and Hunting for Cobalt Strike Pipes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 315691, "plain_text": "Guide to Named Pipes and Hunting for Cobalt Strike Pipes\r\nBy svch0st\r\nPublished: 2021-07-25 · Archived: 2026-04-05 16:18:48 UTC\r\nIntro to Named Pipes\r\nThe way that helped me start to understand pipes is to think of them as like type of network socket that is created.\r\nIt can be used to send and receive information between processes or even hosts.\r\nAs a rudimentary example, you can query the current pipes on your host:\r\nGet-ChildItem \\\\.\\pipe\\\r\nNow lets try creating one. Below is a basic script to create a named pipe using PowerShell:\r\ntry {\r\n $pipeName = \"bad_pipe\"\r\n $pipe = New-Object system.IO.Pipes.NamedPipeServerStream($pipeName)\r\n Write-Host \"Listening on \\\\.\\pipe\\$pipeName\"\r\n $pipe.WaitForConnection();\r\n $sr = new-object System.IO.StreamReader($pipe);\r\n $msg= $sr.ReadLine()\r\n Write-Host \"I received a message: \", $msg\r\n}\r\ncatch {\r\n Write-Host \"Pipe Creation Failed...\"\r\n $_\r\n return 0\r\n}\r\nOnce running, it will listen for and data sent to it and write it to console. We can quickly test this by redirecting the\r\nstdout of a simple command:\r\necho \"Sending data to pipe\" \u003e\\\\.\\pipe\\bad_pipe\r\nSee it in action here:\r\nHow Cobalt Strike uses Named Pipes\r\nhttps://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\r\nPage 1 of 4\n\nThere is heaps of existing research on how Cobalt Strike utilises named pipes:\r\nIncluding from the Cobalt Strike blog:\r\nIn this blog, Raphael Mudge (the creator of Cobalt Strike), notes some of the default pipe names. You can also\r\ncustomise the names of these pipes using Malleable C2 profiles.\r\nGet svch0st’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSee a sample of regexes for pipe names I put together from default and custom profiles below:\r\nUsing Velociraptor to Search for Malicious Named Pipes\r\nWhen a process uses a named pipe, it creates a handle. Below is a sample of VQL that will walk through all\r\nrunning processes and pull the handles of the process. It will then search for any handles that match the regex\r\nbad_pipe .\r\nLET pipeRegex = 'bad_pipe'\r\nLET processes = SELECT Pid AS ProcPid, Name AS ProcName, Exe\r\nFROM pslist()\r\nWHERE ProcPid \u003e 0SELECT * FROM foreach(\r\nrow=processes,\r\nquery={\r\n SELECT ProcPid, ProcName, Exe, Type, Name, Handle\r\n FROM handles(pid=ProcPid)\r\n WHERE Name =~ pipeRegex\r\n})\r\nUsing the example created before, I left the named pipe open and ran the VQL above in a notebook which\r\nreturned the following result:\r\nPress enter or click to view image in full size\r\nhttps://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\r\nPage 2 of 4\n\nIt recorded what process was using the pipe as well as the pipe name! Using the regex of some of the default\r\nnamed pipes lets put all this to the test.\r\nIn Cobalt Strike, the interface for creating a new SMB listener the default pipe name was msagent_f8 which\r\nmatches what we learnt before. I ran jump psexec_psh to laterally move to a different host.\r\nPress enter or click to view image in full size\r\nIf we jump into Velociraptor, I created an artefact to search for any handles that match the regex outlined\r\npreviously. You can see we have the process details as well as the pipe name of the SMB beacon.\r\nThis was a good start and found named pipes such as the SMB beacon that stay open for a long period of time, but\r\nit doesn’t catch the transient named pipes.\r\nhttps://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\r\nPage 3 of 4\n\nOf course, if you are lucky enough to have Sysmon deployed to the network already, you can easily monitor for\r\nthese same named pipes as shown below:\r\nEdit: I’m currently researching the possibility of monitoring named pipes with ETW and using Velociraptor\r\nfurther.\r\nThanks,\r\n@svch0st\r\nSource: https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\r\nhttps://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575" ], "report_names": [ "guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434866, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a953c983ef09ac3b82dbcc2a84a42b2383dea487.pdf", "text": "https://archive.orkl.eu/a953c983ef09ac3b82dbcc2a84a42b2383dea487.txt", "img": "https://archive.orkl.eu/a953c983ef09ac3b82dbcc2a84a42b2383dea487.jpg" } }