Named Pipe Metadata (b9a1578e-8653-4103-be23-cb52e0b1816e)
Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)
Data Collection Measures:
- Windows:
- Sysmon Event ID 17: Logs the creation of a named pipe.
- Sysmon Event ID 18: Logs connection attempts to a named pipe.
- Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
- ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
- Linux/macOS:
- AuditD (
mkfifo,open,read,writesyscalls): Tracks FIFO (named pipe) creation and usage. - Lsof (
lsof -p <PID>orlsof | grep PIPE): Lists active named pipes and associated processes. - Strace (
strace -e open <process>): Monitors named pipe interactions.
- AuditD (
- Endpoint Detection & Response (EDR):
- Capture named pipe events as part of process tracking.
- Memory Forensics:
- Volatility Plugin (
pipescan): Enumerates named pipes in system memory. - Rekall Framework: Identifies active named pipes and associated processes.
- Volatility Plugin (
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Named Pipe Metadata (b9a1578e-8653-4103-be23-cb52e0b1816e) | mitre-data-component | Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) | Attack Pattern | 1 |