Named Pipe Created Via Mkfifo

Aug 12, 2024 · attack.execution ·

Detects the creation of a new named pipe using the "mkfifo" utility

Sigma rule (View on GitHub)

 1title: Named Pipe Created Via Mkfifo
 2id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
 3status: test
 4description: Detects the creation of a new named pipe using the "mkfifo" utility
 5references:
 6    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
 7    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-06-16
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection:
17        Image|endswith: '/mkfifo'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Use `mkfifo` to create named pipe - Linux Tips

We can use mkfifo or mknod command to create a named pipe. A pipe is a structure which one end can se...

Read More
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...

Read More

Named Pipe Created Via Mkfifo

Sigma rule (View on GitHub)

References

Use `mkfifo` to create named pipe - Linux Tips

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

Related rules