Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Sigma rule (View on GitHub)
1title: Potentially Suspicious Named Pipe Created Via Mkfifo
2id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
3related:
4 - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
5 type: derived
6status: test
7description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
8references:
9 - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
10 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-16
13tags:
14 - attack.execution
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/mkfifo'
21 # Note: Add more potentially suspicious locations
22 CommandLine|contains: ' /tmp/'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
We can use mkfifo or mknod command to create a named pipe. A pipe is a structure which one end can se...
Read More -
SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change