This note documents detection patterns related to Named Pipe Traffic within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 17 | Pipe created | Critical | Direct named pipe creation visibility. |
| Sysmon | 18 | Pipe connected | Critical | Pipe client/server connection. |
| Security | 4688 | Process creation | Critical | Detects processes using named pipes. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for pipe traffic chains. |
| Sysmon | 10 | Process access | High | Often adjacent to pipe IPC abuse. |
| Security | 5145 | Share/object access | Medium | Sometimes adjacent in SMB pipe contexts. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Rare pipe names | Random / custom names | Critical | Strong anomaly. |
| Non-service process hosts pipe | User process as server | Critical | Valuable signal. |
| Pipe tied to shell | cmd / powershell linked | Critical | Strong malicious clue. |
| Repeated pipe reconnects | IPC channel / beacon | High | Persistent communication clue. |
| Pipe names match C2 frameworks | Known beacon names | Critical | Framework fingerprint. |
| Pipe + privilege escalation | Potato-style chain | Critical | Strong context |
Common Tools
| Tool | Usage |
|---|---|
| Cobalt Strike | SMB / pipe channels |
| custom implants | IPC traffic |
| PowerShell | Named pipe IPC |
| PsExec-style tools | Remote pipe operations |
Relevant Artifacts
- Sysmon Event IDs 17, 18, 1, 10
- Security Event IDs 4688, 5145
- Pipe names
- Process tree
- Integrity levels
- Prefetch for parent tools
MITRE ATT&CK References
- T1055 Process Injection
- T1071.002 SMB/Windows Admin Shares
Decision Tree
-
Which process owns pipe?
- service
- shell
- implant
-
Pipe name known?
- Framework pattern
- Random
-
Server/client role?
- Local IPC
- Cross-process
- Remote tie-in
-
Follow-on action?
- Token abuse
- Beacon
- Injection
-
Expand:
- Parent lineage
- Pipe cadence
- Privileges
-
Scope:
- Single pipe
- Persistent IPC
- Framework behavior
Example Detection Templates
KQL
Sysmon
| where EventID in (17,18)
| project TimeGenerated, Computer, Image, PipeName
SecurityEvent
| where EventID == 4688
| project TimeGenerated, Computer, NewProcessName, ParentProcessName
EQL
pipe where event.code in ("17","18")
sequence by host.name with maxspan=5m
[ pipe where event.code == "17" ]
[ pipe where event.code == "18" ]
Sigma
title: Named Pipe Traffic Detection
id: 5f2c9b18-named-pipe-traffic
status: experimental
description: Detects suspicious named pipe traffic
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 17
- 18
condition: selection
fields:
- Image
- PipeName
falsepositives:
- Legitimate IPC
level: high
tags:
- attack.command_and_control
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Enable Sysmon 17/18 | Core visibility | Critical | Essential telemetry |
| Baseline pipe names | Reduce noise | High | Valuable context |
| Watch shell-linked pipes | Strong signal | Critical | High-value |
| Correlate with pipe cadence | Detect beaconing | High | Strong triage |
| EDR lineage | Best IPC visibility | Critical | Operationally important |