Event ID 9007006 — Named pipe event

Provider: Defender-DeviceEvents
Channel: NamedPipeEvent

Description

Named pipe event

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`FileName`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Named Pipe

Defender-DeviceEvents Event ID 9007006: Named pipe eventORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

15 rules

Sigma

CobaltStrike Named Pipe (source)

Florian Roth (Nextron Systems), Wojciech Lesicki

CobaltStrike Named Pipe Pattern Regex (source)

Florian Roth (Nextron Systems)

CobaltStrike Named Pipe Patterns (source)

Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)

Show 3 more (6 total)

HackTool - CoercedPotato Named Pipe Creation (source)

Florian Roth (Nextron Systems)

HackTool - EfsPotato Named Pipe Creation (source)

Florian Roth (Nextron Systems)

Malicious Named Pipe Created (source)

Florian Roth (Nextron Systems), blueteam0ps, elhoim

Splunk

Windows Anonymous Pipe Activity (source)

Teoderick Contreras, Splunk

Windows PUA Named Pipe (source)

Raven Tait, Splunk

Windows RMM Named Pipe (source)

Raven Tait, Splunk

Show 3 more (6 total)

Windows Suspicious C2 Named Pipe (source)

Raven Tait, Splunk

Windows Suspicious Named Pipe (source)

Raven Tait, Splunk

Trickbot Named Pipe (source)

Teoderick Contreras, Splunk

Kusto Query Language

Suspicious named pipes (source)

Solorigate Named Pipe (source)

Microsoft Security Research

C2-NamedPipe (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table