{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/named-pipe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","named-pipe","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe threat involves an adversary attempting to escalate privileges on a Windows system by creating a rogue named pipe. The attacker masquerades the pipe as a legitimate one, tricking a privileged process into connecting to it. This technique is often employed to abuse impersonation privileges, as seen in tools like PrintSpoofer and EfsPotato. By creating a named pipe with a manipulated path (e.g., including \u003ccode\u003e\\\\pipe\\\\\u003c/code\u003e after a path segment that resembles a service/RPC pipe), attackers can intercept and manipulate communication intended for the legitimate service. This can lead to unauthorized command execution or access to sensitive resources with elevated privileges. Detection focuses on identifying suspicious named pipe creations, analyzing the creator process, monitoring client connections, and tracking follow-on activities to determine the likelihood of a successful privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through some vector.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged process that communicates via named pipes.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a rogue named pipe using \u003ccode\u003eCreateNamedPipe\u003c/code\u003e API. The pipe path is crafted to resemble a legitimate service\u0026rsquo;s pipe, possibly embedding \u003ccode\u003e\\\\pipe\\\\\u003c/code\u003e after another path segment.\u003c/li\u003e\n\u003cli\u003eThe privileged process connects to the rogue named pipe. The attacker uses techniques to coerce the privileged process to connect to their rogue pipe.\u003c/li\u003e\n\u003cli\u003eThe attacker impersonates the privileged client. After the privileged process connects, the attacker\u0026rsquo;s process impersonates the security context of the client.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands or accesses resources with the impersonated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker persists or expands their access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary commands with elevated privileges, potentially gaining full control of the system. This can lead to data theft, system compromise, or the deployment of further malicious payloads. The attack can potentially affect any Windows system where privileged processes communicate via named pipes. The number of affected systems depends on the scope and effectiveness of the attacker\u0026rsquo;s initial access and lateral movement techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and file creation logging to capture named pipe creation events (as described in the rule setup instructions: \u003ca href=\"https://ela.st/sysmon-event-pipe-setup)\"\u003ehttps://ela.st/sysmon-event-pipe-setup)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Privilege Escalation via Rogue Named Pipe Impersonation\u0026rdquo; to your SIEM and tune false positives based on legitimate local IPC products.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the rogue pipe path (\u003ccode\u003efile.name\u003c/code\u003e), creator process (\u003ccode\u003eprocess.executable\u003c/code\u003e), and any privileged clients connecting to the pipe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:11:14Z","date_published":"2026-05-12T19:11:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-privilege-escalation-via-rogue-named-pipe/","summary":"An adversary may attempt privilege escalation by masquerading as a known named pipe and manipulating a privileged process to connect to it on Windows systems.","title":"Privilege Escalation via Rogue Named Pipe Impersonation","url":"https://feed.craftedsignal.io/briefs/2026-05-privilege-escalation-via-rogue-named-pipe/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel","Windows"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","named-pipe","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies a privilege escalation attempt via named pipe impersonation, a technique where an adversary leverages a framework such as Metasploit\u0026rsquo;s meterpreter getsystem command to gain elevated privileges. This involves a process, typically cmd.exe or PowerShell.exe, writing to a named pipe. The detection logic focuses on identifying scenarios where a service-context client interacts with a named-pipe server, enabling the server to impersonate the client\u0026rsquo;s token, thereby achieving privilege escalation. The rule is designed to detect this activity by monitoring for specific command-line arguments associated with named pipe creation and usage, indicative of an attempt to exploit this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to a system, possibly through phishing or exploiting a remote vulnerability.\u003c/li\u003e\n\u003cli\u003eThe adversary executes a reconnaissance phase to identify potential privilege escalation vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like Metasploit\u0026rsquo;s meterpreter and attempts to execute the \u003ccode\u003egetsystem\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egetsystem\u003c/code\u003e attempts various techniques to gain SYSTEM privileges. One of these techniques involves named pipe impersonation.\u003c/li\u003e\n\u003cli\u003eA process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, writes to a named pipe using the \u003ccode\u003eecho\u003c/code\u003e command with redirection (\u003ccode\u003e\u0026gt; \\\\\\\\.\\\\pipe\\\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA service running as SYSTEM impersonates the client\u0026rsquo;s token.\u003c/li\u003e\n\u003cli\u003eThe attacker gains SYSTEM privileges and can perform administrative tasks.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages their elevated privileges to achieve their final objective, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute commands with SYSTEM privileges, giving them full control over the compromised system. This can lead to sensitive data theft, installation of malware, lateral movement to other systems within the network, and ultimately, complete compromise of the affected environment. The high risk score reflects the severity of this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect privilege escalation attempts via named pipe impersonation (detects \u003ccode\u003eprocess.args : \u0026quot;echo\u0026quot; and process.args : \u0026quot;\u0026gt;\u0026quot; and process.args : \u0026quot;\\\\\\\\.\\\\pipe\\\\*\u0026quot; \u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command-line arguments to ensure the Sigma rule functions correctly (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eReview and restrict local administrator and service creation rights to prevent untrusted tooling from creating SYSTEM service clients (Post-incident hardening).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the parent process, token context, and follow-on activity to determine if the named pipe activity is legitimate or malicious (investigation steps outlined in note section).\u003c/li\u003e\n\u003cli\u003eContinuously monitor Windows Security Event Logs for suspicious process creation events (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:09:05Z","date_published":"2026-05-12T19:09:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-privesc-named-pipe/","summary":"Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.","title":"Privilege Escalation via Named Pipe Impersonation","url":"https://feed.craftedsignal.io/briefs/2026-05-privesc-named-pipe/"}],"language":"en","title":"CraftedSignal Threat Feed — Named-Pipe","version":"https://jsonfeed.org/version/1.1"}