TTP Analysis: Named Pipes and In-Memory Evasion

Danger

Executive Summary: Named Pipes are a fundamental Inter-Process Communication (IPC) mechanism within the Windows operating system. Because they operate entirely in memory and utilize native, trusted system processes, threat actors heavily abuse them. From encapsulating Command & Control (C2) traffic over SMB for stealthy lateral movement, to exploiting flawed access controls for Local Privilege Escalation (LPE) via token impersonation, Named Pipes represent a critical blind spot for traditional, disk-centric forensic analysis.

1. Anatomy and Mechanics of Named Pipes

Before hunting for malicious pipes, analysts must understand how the Windows kernel handles them. A Named Pipe is a segment of shared memory that processes use to exchange data. It operates on a strict Client/Server architecture: a server process creates the pipe, and client processes connect to it to read or write data.

Under the hood, Named Pipes are managed by the Windows I/O Manager via the Named Pipe File System driver (Npfs.sys). Because Windows treats pipes as file objects, processes interact with them using standard file APIs like CreateFile, ReadFile, and WriteFile.

• User-Mode Path: \\.\pipe\PipeName
• Kernel-Mode Translation: \Device\NamedPipe\PipeName

Crucially, Named Pipes exist only in the kernel pool memory. They leave no physical trace on the hard drive, making them the ultimate “Living off the Land” (LOTL) staging ground.

Typology of Abuse (TTPs)

Adversaries leverage Named Pipes across three primary phases of the kill chain.

A. Lateral Movement (SMB Encapsulation)

While pipes are primarily used for local IPC, Windows allows them to be accessed remotely over the network. Remote pipes are encapsulated within the Server Message Block (SMB) protocol (port 445) and accessed via the hidden IPC$ administrative share (e.g., \\Target-IP\pipe\PipeName). This is the foundational mechanism behind tools like PsExec. Threat actors use remote pipes to push payloads and execute commands across the network, heavily obfuscating their activity within normal, highly voluminous corporate SMB traffic.

B. P2P C2 Beacons (Cobalt Strike & Metasploit)

To evade network detection, modern threat actors avoid having every compromised endpoint beacon out to the internet. Instead, they establish a Peer-to-Peer (P2P) network. A primary “Egress Beacon” communicates with the external C2 server, while secondary “Child Beacons” on internal machines communicate solely with the Egress Beacon via Named Pipes over SMB. To Network Detection and Response (NDR) tools, this simply looks like internal Windows file-sharing traffic, completely masking the C2 heartbeat.

C. Local Privilege Escalation (Pipe Impersonation)

Windows provides a powerful API called ImpersonateNamedPipeClient. When a client connects to a pipe, the server creating the pipe can impersonate the client’s security token.

If an attacker identifies a highly privileged system service (running as SYSTEM) that attempts to connect to a predictable pipe name without verifying the server’s identity, the attacker can pre-emptively create that pipe. When the SYSTEM process connects, the attacker steals its token, achieving instant Local Privilege Escalation (LPE).

Tip

Real-World Example: As detailed by NetSPI in their “Pipe Dreams” adversary simulation, the Quest Desktop Authority suite suffered from severe Named Pipe misconfigurations. The software created pipes with overly permissive Discretionary Access Control Lists (DACLs) allowing Everyone full control. Attackers exploited these misconfigurations to inject arbitrary commands directly into a pipe consumed by a SYSTEM service, leading to immediate remote code execution.

2. Recent Case Study: The “PipeMagic” Framework (2025)

The abuse of Named Pipes is not limited to legacy tools. In August 2025, Microsoft Threat Intelligence published a detailed dissection of PipeMagic, a highly sophisticated, modular backdoor framework heavily relying on IPC for stealth.

Unlike traditional malware that loads all its capabilities into a single massive binary, PipeMagic operates using a microservices-like architecture entirely within memory.

The Internal Data Bus

PipeMagic utilizes Named Pipes not just for external Command & Control, but as an internal “data bus” between its loaded memory modules (e.g., keylogger, network scanner, exfiltration module). By exchanging data via pipes rather than shared memory regions or disk writes, the malware evades EDR memory scanners looking for anomalous cross-process memory allocations.

EDR Evasion

Because Named Pipe communication utilizes native, low-level NT APIs (NtCreateFile, NtFsControlFile), PipeMagic bypasses higher-level User-Mode API hooking (like kernel32.dll hooks) employed by legacy AVs, remaining virtually invisible to naive process monitoring.

3. Telemetry and Threat Hunting

Because Named Pipes leave no footprint on the NTFS file system, DFIR analysts must rely on kernel-level telemetry and network object access logs.

A. Sysmon Visibility (Event IDs 17 & 18)

Sysmon is the primary tool for catching Named Pipe abuse on the endpoint.

• Event ID 17 (Pipe Created): Logs the creation of a Named Pipe server. Crucial for identifying the compromised process hosting the C2 listener.
• Event ID 18 (Pipe Connected): Logs the client connection to a pipe. Crucial for tracking the internal data flow between the attacker’s injected processes.

B. Network Share Object Access (Event ID 5145)

To detect lateral movement via SMB encapsulation, analysts must monitor the Windows Security log for Event ID 5145 (A network share object was checked to see whether client can be granted access).

• Hunting Focus: Filter for accesses where the Share Name is \\*\IPC$ and the Relative Target Name matches known malicious pipe names.

Hunting for Suspicious Naming Conventions

Advanced threat hunting requires identifying anomalies in the PipeName field. Adversaries typically use three naming strategies:

1. Hardcoded Defaults: Script-kiddies and default commercial C2 profiles often leave default pipe names. For example, Cobalt Strike default SMB beacons frequently use \pipe\msagent_* or \pipe\mojo.*.
2. Randomization: Names consisting of completely random hex or alphanumeric strings (e.g., \pipe\5f3a1b...). Legitimate Windows pipes generally use structured, readable names (e.g., \pipe\spoolss).
3. Typosquatting/Masquerading: Attackers mimic legitimate Microsoft pipes to blend in. For example, creating \pipe\lsass instead of the legitimate \pipe\lsass\IPC.

4. In-Memory Forensic Analysis (RAM)

When telemetry logs are purged or rolled over, volatile memory (RAM) is the ultimate ground truth. Because Named Pipes are managed by the Windows I/O Manager, they exist as File objects within the Kernel Pool.

DFIR analysts can extract active and recently closed Named Pipes from a memory dump using advanced forensic frameworks.

A. Volatility 3 Analysis

Volatility 3 can enumerate all open handles across all processes to identify active pipes.

1. Acquire the Memory Dump: Obtain a raw .mem or .raw memory dump from the compromised endpoint.
2. Enumerate Handles: Use the windows.handles.Handles plugin to list all object handles.
3. Filter for Pipes: Because pipes are handled as file objects by the kernel, grep for \Device\NamedPipe\.
4. Identify the Culprit: Map the identified pipe back to its PID to find the injected or malicious process.

volatility_pipe_hunting.sh

# Execute the handles plugin and filter for Named Pipes
python3 vol.py -f target_dump.raw windows.handles | grep "Device\\\NamedPipe"

# Output Example:
# PID     Process        Type    Name
# 4512    powershell.exe File    \Device\NamedPipe\mojo_54321

B. MemProcFS and String Extraction

MemProcFS allows analysts to mount a memory dump as a virtual file system. This makes exploring kernel objects as easy as browsing local folders.

If the pipe was recently closed, the handle might be gone, but the string may still reside in unallocated memory pages. Analysts can use bstrings (from Eric Zimmerman’s Tools) to carve pipe names directly from the raw dump or a captured pagefile.sys.

bstrings_pipe_carving.sh

# Extracting UTF-16 strings (common in Windows memory) matching pipe patterns
bstrings.exe -f target_dump.raw --ls "\Device\NamedPipe"

By correlating the extracted pipe names with known C2 profiles, analysts can identify the exact malware family responsible for the intrusion, even if the primary payload has been securely wiped from disk.

5. Advanced Detection and Actionable Rules

While Sysmon provides excellent visibility, modern EDR solutions achieve deep inspection by directly hooking the low-level Windows APIs responsible for pipe creation.

As detailed in Synacktiv’s research on hooking Windows Named Pipes, advanced telemetry agents intercept calls to NtCreateFile and NtFsControlFile at the kernel or ntdll.dll level. By monitoring requests destined for the \Device\NamedPipe\ namespace, EDRs can analyze the pipe’s properties, assess the calling thread’s memory space for signs of injection, and evaluate the requested DACLs in real-time.

For SOC analysts and Threat Hunters relying on SIEM ingestion, identifying malicious Named Pipes involves matching known bad naming conventions and spotting suspicious parent processes (e.g., cmd.exe or powershell.exe creating a pipe server).

Sigma (Sysmon EID 17/18)

sigma_suspicious_named_pipe.yaml

title: Suspicious Named Pipe Created/Connected (Cobalt Strike / Metasploit)
id: 8c9d0e1f-2a3b-4c5d-6e7f-8a9b0c1d2e3f
status: experimental
description: Detects the creation or connection to Named Pipes using default naming conventions associated with common C2 frameworks like Cobalt Strike and Metasploit.
logsource:
    category: pipe_creation
    product: windows
detection:
    # Sysmon Event ID 17 (Pipe Created) or 18 (Pipe Connected)
    selection:
        PipeName|contains:
            - '\mojo.5688.8052.'   # Default Cobalt Strike
            - '\msagent_'          # Default Cobalt Strike SMB Beacon
            - '\postex_ssh_'       # Cobalt Strike SSH
            - '\status_'           # Cobalt Strike
            - '\msf-pty'           # Metasploit Meterpreter
    condition: selection
level: high
tags:
    - attack.command_and_control
    - attack.t1090
    - attack.t1570

KQL (Defender XDR)

hunt_smb_named_pipe_lateral_movement.kql

// Detects lateral movement via Named Pipes over SMB (IPC$ share)
// using Windows Security Event ID 5145 (Network Share Object Access)
DeviceEvents
| where ActionType == "ShareAccessed"
| where AdditionalFields.ShareName has "\\*\\IPC$"
// Target the specific Relative Target Name (the pipe name)
| where AdditionalFields.RelativeTargetName has_any ("mojo", "msagent", "postex")
// Ensure the connection originated from across the network
| where RemoteIPType == "Public" or RemoteIPType == "Private"
| project TimeGenerated, DeviceName, RemoteIP, InitiatingProcessAccountName, AdditionalFields.RelativeTargetName
| sort by TimeGenerated desc

6. Conclusion and Mitigations

Named Pipes are an architectural necessity for the Windows operating system; they cannot be disabled or globally blocked without causing catastrophic system failure. Therefore, mitigating the threat they pose requires a defense-in-depth strategy focused on network segmentation and access control.

1. Network Micro-segmentation: Lateral movement via Named Pipes relies entirely on the SMB protocol. Organizations must strictly enforce host-based firewalls (Windows Defender Firewall) to block inbound TCP Port 445 (SMB) between client workstations. Workstations should only communicate over SMB with designated file servers and Domain Controllers, completely neutralizing workstation-to-workstation SMB beacons.
2. DACL Auditing for LPE: To prevent Local Privilege Escalation via Pipe Impersonation, software developers and IT administrators must ensure that third-party applications do not create Named Pipes with overly permissive Discretionary Access Control Lists (DACLs) granting Everyone or BUILTIN\Users full control.
3. Behavioral Monitoring: Given that threat actors constantly randomize pipe names in modern C2 profiles, static string matching (like the Sigma rule above) must be supplemented with behavioral monitoring. Focus on identifying processes that typically do not utilize Named Pipes suddenly spawning pipe servers and accepting inbound SMB connections.

---

Sources & References

• Microsoft Security Blog (2025): Dissecting PipeMagic: Inside the Architecture of a Modular Backdoor Framework
• Synacktiv: Hooking Windows Named Pipes
• NetSPI: Pipe Dreams: Remote Code Execution via Quest Desktop Authority Named Pipe
• Detect.fyi: Threat Hunting Suspicious Named Pipes
• CyberEngage: Extracting Memory Objects with MemProcFS & Volatility 3
• Related Action: Hunting for Cobalt Strike and PsExec Lateral Movement