Named Pipes

Date: 2025-12-05 ID: e7dc3e89-157f-41bc-97d3-9161fa9a5620 Author: Raven Tait, Splunk Environment: custom Directory: named_pipes

Description

Manual generation of attack data to generate default named pipes associated with offensive tools.

ID	Technique	Tactic
T1055	Process Injection	Defense Evasion, Privilege Escalation

The following datasets were collected during this attack simulation:

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows Suspicious Named Pipe	`TTP`	Endpoint	T1559, T1021.002, T1055	APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Trickbot, Tuoni
Windows RMM Named Pipe	`Anomaly`	Endpoint	T1559, T1021.002, T1055	Cactus Ransomware, CISA AA24-241A, Command And Control, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
Windows PUA Named Pipe	`Anomaly`	Endpoint	T1559, T1021.002, T1055	Active Directory Lateral Movement, BlackByte Ransomware, Cactus Ransomware, CISA AA22-320A, DarkGate Malware, DarkSide Ransomware, DHS Report TA18-074A, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, VanHelsing Ransomware, Volt Typhoon

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1055/named_pipes/windows-sysmon.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0