Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

Windows:
- Sysmon Event ID 17: Logs the creation of a named pipe.
- Sysmon Event ID 18: Logs connection attempts to a named pipe.
- Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
- ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
Linux/macOS:
- AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
- Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
- Strace (strace -e open <process>): Monitors named pipe interactions.
Endpoint Detection & Response (EDR):
- Capture named pipe events as part of process tracking.
Memory Forensics:
- Volatility Plugin (pipescan): Enumerates named pipes in system memory.
- Rekall Framework: Identifies active named pipes and associated processes.

ID: DC0048

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
macos:unifiedlog	XPC messages requesting privileged actions from untrusted or unsigned clients
WinEventLog:Sysmon	EventCode=17

ID	Name	Technique Detected
DET0182	Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS	T1135
DET0389	Behavioral Detection of DLL Injection via Windows API	T1055.001
DET0493	Detect Abuse of Inter-Process Communication (T1559)	T1559
DET0335	Detect Abuse of XPC Services (T1559.003)	T1559.003