Suspicious Named Pipe Creation

  1[metadata]
  2creation_date = "2025/04/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/07/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the creation of unusually labeled named pipes (FIFOs) by the mkfifo command, which is often used by
 11attackers to establish persistence on a target system or to execute commands in the background. Through the new_terms
 12rule type, this rule can identify uncommon process command lines that may indicate the presence of a malicious
 13named pipe.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Suspicious Named Pipe Creation"
 20note = """ ## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating Suspicious Named Pipe Creation
 26
 27Named pipes, or FIFOs, are a form of inter-process communication in Linux environments, allowing data transfer between processes. Adversaries exploit this by creating named pipes in common directories like /tmp to stealthily execute commands or maintain persistence. The detection rule identifies unusual named pipe creation by monitoring the `mkfifo` command, especially when initiated by common shell processes, to flag potential malicious activity.
 28
 29### Possible investigation steps
 30
 31- Review the process command line arguments to identify the exact named pipe path and any associated commands or scripts that might have been executed using the named pipe.
 32- Investigate the parent process (bash, csh, dash, fish, ksh, sh, tcsh, or zsh) to determine the origin of the mkfifo command, checking for any unusual or unexpected scripts or commands that might have initiated it.
 33- Examine the user account associated with the mkfifo process to determine if it is a legitimate user or if the account might have been compromised.
 34- Check for any other suspicious activities or processes running under the same user account or originating from the same parent process to identify potential lateral movement or further malicious actions.
 35- Analyze the system logs around the time of the named pipe creation for any other indicators of compromise, such as unauthorized access attempts or unusual network connections.
 36- If possible, capture and review the contents of the named pipe to understand the data being transferred and assess whether it is part of a malicious operation.
 37
 38### False positive analysis
 39
 40- Named pipes created by legitimate applications for inter-process communication can trigger this rule. Users should identify and whitelist these applications by adding exceptions for specific process command lines that are known to be safe.
 41- System maintenance scripts or backup processes that use named pipes in directories like /tmp or /var/tmp may cause false positives. Review these scripts and exclude them from the rule if they are verified as non-malicious.
 42- Development environments or testing frameworks that frequently create and delete named pipes during their operations might be flagged. Users can mitigate this by excluding these environments from monitoring or by specifying exceptions for known development tools.
 43- Automated deployment tools that use named pipes for configuration management or orchestration tasks can also be a source of false positives. Ensure these tools are recognized and excluded from the rule to prevent unnecessary alerts.
 44
 45### Response and remediation
 46
 47- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.
 48- Terminate any suspicious processes associated with the mkfifo command, especially those originating from common shell processes like bash or sh.
 49- Delete any named pipes created in directories such as /tmp, /dev/shm, or /var/tmp that do not follow expected naming conventions or are not part of legitimate applications.
 50- Conduct a thorough review of user accounts and permissions on the affected system to identify any unauthorized access or privilege escalation.
 51- Restore the system from a known good backup if any unauthorized changes or persistence mechanisms are detected.
 52- Implement additional monitoring on the affected system and network to detect any further attempts to create suspicious named pipes or execute unauthorized commands.
 53- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.
 54"""
 55risk_score = 21
 56rule_id = "8167c5ae-3310-439a-8a58-be60f55023d2"
 57setup = """## Setup
 58
 59This rule requires data coming in from Elastic Defend.
 60
 61### Elastic Defend Integration Setup
 62Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 63
 64#### Prerequisite Requirements:
 65- Fleet is required for Elastic Defend.
 66- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 67
 68#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 69- Go to the Kibana home page and click "Add integrations".
 70- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 71- Click "Add Elastic Defend".
 72- Configure the integration name and optionally add a description.
 73- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 74- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 75- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 76- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 77For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 78- Click "Save and Continue".
 79- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 80For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 81"""
 82severity = "low"
 83tags = [
 84    "Domain: Endpoint",
 85    "OS: Linux",
 86    "Use Case: Threat Detection",
 87    "Tactic: Execution",
 88    "Tactic: Command and Control",
 89    "Data Source: Elastic Defend",
 90    "Resources: Investigation Guide",
 91]
 92timestamp_override = "event.ingested"
 93type = "new_terms"
 94query = '''
 95host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:mkfifo and
 96process.parent.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
 97process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not /*fifo*)
 98'''
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102
103[rule.threat.tactic]
104name = "Execution"
105id = "TA0002"
106reference = "https://attack.mitre.org/tactics/TA0002/"
107
108[[rule.threat.technique]]
109id = "T1059"
110name = "Command and Scripting Interpreter"
111reference = "https://attack.mitre.org/techniques/T1059/"
112
113[[rule.threat.technique.subtechnique]]
114id = "T1059.004"
115name = "Unix Shell"
116reference = "https://attack.mitre.org/techniques/T1059/004/"
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120
121[rule.threat.tactic]
122name = "Command and Control"
123id = "TA0011"
124reference = "https://attack.mitre.org/tactics/TA0011/"
125
126[[rule.threat.technique]]
127name = "Application Layer Protocol"
128id = "T1071"
129reference = "https://attack.mitre.org/techniques/T1071/"
130
131[rule.new_terms]
132field = "new_terms_fields"
133value = ["host.id", "process.command_line"]
134
135[[rule.new_terms.history_window_start]]
136field = "history_window_start"
137value = "now-10d"