Named Pipe Created Via Mkfifo

May 2, 2024 · attack.execution ·

Detects the creation of a new named pipe using the "mkfifo" utility

Sigma rule (View on GitHub)

 1title: Named Pipe Created Via Mkfifo
 2id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
 3status: test
 4description: Detects the creation of a new named pipe using the "mkfifo" utility
 5references:
 6    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
 7    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/06/16
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection:
17        Image|endswith: '/mkfifo'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Use `mkfifo` to create named pipe - Linux Tips

We can use mkfifo or mknod command to create a named pipe. A pipe is a structure which one end can se...

Read More
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...

Read More

Named Pipe Created Via Mkfifo

Sigma rule (View on GitHub)

References

Use `mkfifo` to create named pipe - Linux Tips

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

Related rules