Fake Named Pipe with Delayed Response

Engage Goals: EGO0001 Expose, EGO0002 Affect

Engage Approach: EAP0002 Detect, EAP0005 Disrupt

Engage Actions: EAC0014 Software Manipulation, EAC0018 Security Controls

Name of Element: Fake Named Pipe with Delayed Response

Description of Element:

Create a decoy named pipe that mimics a legitimate inter-process communication channel but introduces a significant delay before responding to client requests. This can be used to identify attackers attempting to exploit vulnerabilities or gather information through named pipes, as well as to disrupt their activities.

Technical Context:

Placement: Within the operating system’s namespace, alongside legitimate named pipes.

Utilize a programming language like C++ or Python with libraries that provide access to named pipe functionalities. Create a server-side application that listens on a specific pipe name and introduces a configurable delay before responding to client requests. Monitor pipe activity using system auditing tools or custom logging mechanisms.

Other:

Att&ck/Engage Mapping: T1055 Process Injection, E1506 Decoy System

Fake Named Pipe with Delayed Response

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense