1. Home
  2. Data Sources
  3. Named Pipe

Named Pipe

Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it[1]

ID: DS0023
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 25 April 2025
Version Permalink

Data Components

Named Pipe: Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

  • Windows:
    • Sysmon Event ID 17: Logs the creation of a named pipe.
    • Sysmon Event ID 18: Logs connection attempts to a named pipe.
    • Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
    • ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
  • Linux/macOS:
    • AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
    • Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
    • Strace (strace -e open <process>): Monitors named pipe interactions.
  • Endpoint Detection & Response (EDR):
    • Capture named pipe events as part of process tracking.
  • Memory Forensics:
    • Volatility Plugin (pipescan): Enumerates named pipes in system memory.
    • Rekall Framework: Identifies active named pipes and associated processes.

Named Pipe: Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

  • Windows:
    • Sysmon Event ID 17: Logs the creation of a named pipe.
    • Sysmon Event ID 18: Logs connection attempts to a named pipe.
    • Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
    • ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
  • Linux/macOS:
    • AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
    • Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
    • Strace (strace -e open <process>): Monitors named pipe interactions.
  • Endpoint Detection & Response (EDR):
    • Capture named pipe events as part of process tracking.
  • Memory Forensics:
    • Volatility Plugin (pipescan): Enumerates named pipes in system memory.
    • Rekall Framework: Identifies active named pipes and associated processes.
Domain ID Name Detects
Enterprise T1570 Lateral Tool Transfer

Monitor for contextual data about named pipes on the system.

References

  1. Microsoft. (2018, May 31). Named Pipes. Retrieved September 28, 2021.