Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Sigma rule (View on GitHub)
1title: Potentially Suspicious Named Pipe Created Via Mkfifo
2id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
3related:
4 - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
5 type: derived
6status: test
7description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
8references:
9 - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
10 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/06/16
13tags:
14 - attack.execution
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/mkfifo'
21 # Note: Add more potentially suspicious locations
22 CommandLine|contains: ' /tmp/'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
We can use mkfifo or mknod command to create a named pipe. A pipe is a structure which one end can se...
Read More -
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...
Read More
Related rules
- Cscript/Wscript Uncommon Script Extension Execution
- File With Uncommon Extension Created By An Office Application
- Insecure Transfer Via Curl.EXE
- Named Pipe Created Via Mkfifo
- New Virtual Smart Card Created Via TpmVscMgr.EXE