Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
A named pipe that is associated with known malware, advanced persistent threat (APT) groups, or attack techniques can indicate a larger planned attack. Multiple devices on the network must already be compromised to enable an attacker to communicate data over a named pipe. Attack tools are publicly available that can deliver data over a named pipe. A named pipe that is delivering data for an attack tool does not adversely affect the network, but this activity can indicate that an attacker is moving laterally across your network.
Kill Chain
Risk Score
65
A named pipe is a process that enables peer-to-peer communication over the SMB file sharing protocol. Typically, read and write file operations are sent over pipes. Attackers can communicate commands and share data between compromised devices over a chain of linked pipes that hide the malicious activity. The chain can eventually lead to a device with an external connection to a C&C server. There are several tools that help attackers establish named pipes. If an attacker does not change the default name provided by the attack tool or malware, the named pipe will have a recognizable name that can indicate malicious activity.
