Windows Anonymous Pipe Activity

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects the creation or connection of anonymous pipes for inter-process communication (IPC) within a Windows environment. Anonymous pipes are commonly used by legitimate system processes, services, and applications to transfer data between related processes. However, adversaries frequently abuse anonymous pipes to facilitate stealthy process injection, command-and-control (C2) communication, credential theft, or privilege escalation. This detection monitors for unusual anonymous pipe activity, particularly involving non-system processes, unsigned executables, or unexpected parent-child process relationships. While legitimate use cases exist—such as Windows services, software installers, or security tools—unusual or high-frequency anonymous pipe activity should be investigated for potential malware, persistence mechanisms, or lateral movement techniques.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1559` Inter-Process Communication

Event coverage

Provider	Event ID	Title
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: `search`

search NOT Image IN ("C:\\Program Files*", "C:\\Windows\\system32\\*", "C:\\Windows\\syswow64\\*") EventCode IN (17, 18) EventType IN ("ConnectPipe", "CreatePipe") PipeName="*Anonymous Pipe*"

Stage 2: `stats`

stats BY dest, EventCode, PipeName, ProcessGuid, ProcessId, Image, EventType

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`Image`	in	`"C:\\Program Files"`, `"C:\\Windows\\system32\\"`, `"C:\\Windows\\syswow64\\*"`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`17` corpus 6 (splunk 6) `18` corpus 6 (splunk 6)
`EventType`	in	`"ConnectPipe"` corpus 4 (splunk 4) `"CreatePipe"` corpus 4 (splunk 4)
`PipeName`	eq	`"Anonymous Pipe"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Trickbot Named Pipe [splunk]
Windows App Layer Protocol Qakbot NamedPipe [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows Application Layer Protocol RMS Radmin Tool Namedpipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Trickbot Named Pipe [splunk]
Windows App Layer Protocol Qakbot NamedPipe [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows Application Layer Protocol RMS Radmin Tool Namedpipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]