The hypothesis is that an adversary may be creating a named pipe via mkfifo to establish a covert communication channel or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel as it could indicate the presence of a persistent or stealthy malware leveraging Unix-style inter-process communication mechanisms on Linux or Windows systems.
Detection Rule
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
- id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
# Note: Add more potentially suspicious locations
CommandLine|contains: ' /tmp/'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "/mkfifo" and TargetProcessCommandLine contains " /tmp/"Scenario: System Administrator Creating a Named Pipe for Inter-Process Communication (IPC)
Description: A sysadmin uses mkfifo to create a named pipe for communication between two services.
Filter/Exclusion: Check the process owner (uid) and command line arguments. Exclude if the process is initiated by a known admin user (e.g., root, sysadmin) and the command includes legitimate tools like mkfifo with expected IPC paths (e.g., /tmp/pipe1).
Scenario: Scheduled Job Using Named Pipe for Data Streaming
Description: A cron job or systemd timer creates a named pipe to stream data between services (e.g., log aggregation or real-time data processing).
Filter/Exclusion: Filter by process name or command line. Exclude if the command includes a known job scheduler (e.g., cron, systemd) and the named pipe path is within a job-specific directory (e.g., /var/jobs/pipe).
Scenario: Development Team Using Named Pipe for Debugging or Testing
Description: A developer uses mkfifo to set up a named pipe for testing or debugging purposes (e.g., between a frontend and backend service).
Filter/Exclusion: Exclude if the process is initiated by a developer user (e.g., devuser) and the named pipe is located in a development directory (e.g., /home/devuser/pipe_test).
Scenario: Security Tool or SIEM Agent Creating Named Pipe for Log Aggregation
Description: A security tool (e.g., splunk, logstash) creates a named pipe to receive logs from multiple sources.
Filter/Exclusion: Exclude if the process is initiated by the security tool’s service account (e.g., splunk, logstash) and the pipe is in a