Named Pipe

Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it[1]

ID: DS0023
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Named Pipe: Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

  • Windows:
    • Sysmon Event ID 17: Logs the creation of a named pipe.
    • Sysmon Event ID 18: Logs connection attempts to a named pipe.
    • Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
    • ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
  • Linux/macOS:
    • AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
    • Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
    • Strace (strace -e open <process>): Monitors named pipe interactions.
  • Endpoint Detection & Response (EDR):
    • Capture named pipe events as part of process tracking.
  • Memory Forensics:
    • Volatility Plugin (pipescan): Enumerates named pipes in system memory.
    • Rekall Framework: Identifies active named pipes and associated processes.

Named Pipe: Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

  • Windows:
    • Sysmon Event ID 17: Logs the creation of a named pipe.
    • Sysmon Event ID 18: Logs connection attempts to a named pipe.
    • Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
    • ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
  • Linux/macOS:
    • AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
    • Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
    • Strace (strace -e open <process>): Monitors named pipe interactions.
  • Endpoint Detection & Response (EDR):
    • Capture named pipe events as part of process tracking.
  • Memory Forensics:
    • Volatility Plugin (pipescan): Enumerates named pipes in system memory.
    • Rekall Framework: Identifies active named pipes and associated processes.
Domain ID Name Detects
Enterprise T1570 Lateral Tool Transfer

Monitor for contextual data about named pipes on the system.

References