Detection rules › Splunk
Windows Suspicious Named Pipe
The following analytic detects the creation or connection to known suspicious named pipes. It leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by malicious or suspicious tools. If confirmed malicious, this could allow an attacker to abuse these to potentially gain privilege escalation, persistence, c2 communications, or further system compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1559 Inter-Process Communication |
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: search
search NOT process_path IN ("*:\\Program Files \(x86\)\\Adobe*", "*:\\Program Files \(x86\)\\Google*", "*:\\Program Files \(x86\)\\Microsoft*", "*:\\Program Files\\Adobe*", "*:\\Program Files\\Google*", "*:\\Program Files\\Microsoft*", "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SystemApps\\Microsoft*", "*:\\Windows\\system32\\SearchIndexer.exe", "*\\Amazon\\SSM\\Instance*", "*\\AppData\\Local\\Google*", "*\\AppData\\Local\\Kingsoft\\*", "*\\AppData\\Local\\Microsoft*", "System") EventCode IN (17, 18)
Stage 2: stats
stats BY dest, dvc, process_exec, process_guid, process_id, process_path, pipe_name, user_id, process_name, signature, signature_id, vendor_product
Stage 3: lookup
lookup <lookup> description, pipe_name, suspicious_pipe_name, tool, type
Stage 4: where
where isnotnull(tool)
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | process_name | in | "*:\\Program Files \(x86\)\\Adobe*", "*:\\Program Files \(x86\)\\Google*", "*:\\Program Files \(x86\)\\Microsoft*", "*:\\Program Files\\Adobe*", "*:\\Program Files\\Google*", "*:\\Program Files\\Microsoft*", "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SystemApps\\Microsoft*", "*:\\Windows\\system32\\SearchIndexer.exe", "*\\Amazon\\SSM\\Instance*", "*\\AppData\\Local\\Google*", "*\\AppData\\Local\\Kingsoft\\*", "*\\AppData\\Local\\Microsoft*", "System" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.