Deceptive Named Pipe Server

Goal: Detect attempts to communicate with known malicious named pipes.

Approach: Monitoring for connections to deceptive named pipes.

This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0002 Network Monitoring, EAC0015 Information Manipulation

Name of Element: Deceptive Named Pipe Server

Description of Element:

Goal: Detect attempts to communicate with known malicious named pipes.

Approach: Monitoring for connections to deceptive named pipes.

This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.

Technical Context:

This element leverages the Windows named pipe mechanism for inter-process communication. It creates a server that listens on a specific pipe name and logs any connection attempts, providing valuable information about potential malware activity.

Other:

This element can be particularly effective against malware that uses named pipes for command and control or data exfiltration.

Leave a Reply