This note documents detection patterns related to Named Pipe Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects pipe abuse tooling and resulting child processes. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for named pipe abuse chains. |
| Sysmon | 17 | Pipe created | Critical | Direct visibility into named pipe creation. |
| Sysmon | 18 | Pipe connected | Critical | Pipe client/server interaction. |
| Sysmon | 10 | Process access | High | Often adjacent to token abuse chains. |
| Security | 4672 | Special privileges assigned | High | Elevated token often follows pipe exploitation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Suspicious pipe names | Random / attacker-known names | Critical | Strong malicious clue. |
| Pipe + SYSTEM shell | Common potato-family outcome | Critical | Privilege escalation signal. |
| Non-service process creates server pipe | Rare anomaly | Critical | Valuable indicator. |
| Pipe rapidly followed by elevated cmd | Strong exploitation chain | Critical | High-confidence pattern. |
| Pipe tied to token abuse | SeImpersonate context | Critical | Common modern privesc path. |
| Short-lived pipe activity | Fast exploit execution | High | Operator behavior. |
Common Tools
| Tool | Usage |
|---|---|
| PrintSpoofer | Named pipe privilege escalation |
| RoguePotato | Token impersonation |
| JuicyPotato variants | COM + pipe abuse |
| custom loaders | Pipe-based token relay |
Relevant Artifacts
- Security Event IDs 4688, 4672
- Sysmon Event IDs 1, 17, 18, 10
- Pipe names
- Process integrity levels
- Token privilege context
- Prefetch for exploit tool
- EDR process tree
MITRE ATT&CK References
- T1134 Access Token Manipulation
- T1055 Process Injection
Decision Tree
-
Which process created pipe?
- Service
- User process
- Exploit tool
-
Pipe name suspicious?
- Random
- Known exploit pattern
-
Elevated child follows?
- cmd
- powershell
- service action
-
Privileges present?
- SeImpersonate
- SYSTEM token
-
Expand:
- Token abuse
- Service chain
- COM trigger
-
Scope:
- Single exploit
- Repeated attempts
- Toolkit behavior
Example Detection Templates
KQL
Sysmon
| where EventID in (17,18)
| project TimeGenerated, Computer, Image, PipeName
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("cmd.exe","powershell.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName
EQL
pipe where event.code in ("17","18")
sequence by host.name with maxspan=5m
[ pipe where event.code == "17" ]
[ process where process.name in ("cmd.exe","powershell.exe") ]
Sigma
title: Named Pipe Abuse Detection
id: 2f6b4d14-named-pipe-abuse
status: experimental
description: Detects suspicious named pipe creation linked to privilege escalation
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 17
- 18
condition: selection
fields:
- Image
- PipeName
falsepositives:
- Legitimate IPC
level: high
tags:
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Enable Sysmon 17/18 | Core pipe visibility | Critical | Essential telemetry |
| Watch suspicious pipe names | High anomaly value | High | Strong enrichment |
| Restrict SeImpersonate | Reduce exploit surface | Critical | Core hardening |
| Correlate pipe + elevation | Strong signal | Critical | High-confidence triage |
| EDR lineage | Track exploit chains | Critical | Best visibility |