{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mkfifo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux"],"_cs_severities":["high"],"_cs_tags":["mkfifo","named_pipe","linux","command_execution","lateral_movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses suspicious activities on Linux systems involving the \u003ccode\u003emkfifo\u003c/code\u003e command. While \u003ccode\u003emkfifo\u003c/code\u003e itself is a legitimate utility for creating named pipes, its use followed by command execution can indicate malicious intent. Attackers may use named pipes for inter-process communication, command and control (C2), or data exfiltration. This activity is often seen in post-exploitation scenarios. The use of \u003ccode\u003emkfifo\u003c/code\u003e in conjunction with other commands such as \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, or scripting languages like Python warrants close examination. The scope of this brief focuses on Linux-based systems and the detection of command sequences indicating potential abuse of \u003ccode\u003emkfifo\u003c/code\u003e. Defenders should monitor for unusual process chains involving \u003ccode\u003emkfifo\u003c/code\u003e and subsequent command executions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Linux system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emkfifo /tmp/named_pipe\u003c/code\u003e to create a named pipe in the /tmp directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses netcat to listen on a port and write output to the named pipe: \u003ccode\u003enc -l -p 1337 \u0026gt; /tmp/named_pipe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn a separate process, the attacker executes a command and redirects the output to the named pipe: \u003ccode\u003els -la \u0026gt; /tmp/named_pipe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe netcat process receives the output of the \u003ccode\u003els -la\u003c/code\u003e command and forwards it to the attacker's C2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erm /tmp/named_pipe\u003c/code\u003e to remove the named pipe, cleaning up evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat steps 2-5 to execute further commands and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, data exfiltration, and command execution on the compromised Linux system. The severity of the impact depends on the privileges of the compromised user and the sensitivity of the data accessible on the system. This technique can be used to establish covert communication channels for lateral movement and persistence within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process executions involving \u003ccode\u003emkfifo\u003c/code\u003e followed by network activity or command execution (see \u0026quot;Suspicious Mkfifo Followed by Command Execution\u0026quot; and \u0026quot;Suspicious Mkfifo and Netcat Use\u0026quot; rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs for the execution of \u003ccode\u003emkfifo\u003c/code\u003e command, focusing on parent processes and subsequent child processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emkfifo\u003c/code\u003e usage where the created named pipe is used for network communication or data redirection.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command line auditing to capture the full context of \u003ccode\u003emkfifo\u003c/code\u003e executions and related commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/","summary":"This brief covers the suspicious execution of commands following the use of 'mkfifo' on Linux systems, often indicating malicious activity such as establishing named pipes for command and control or data exfiltration.","title":"Suspicious mkfifo Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Mkfifo","version":"https://jsonfeed.org/version/1.1"}