Supisicous Named Piped Event
Behaviour Suspicious Named Pipes
Query
let NamedPipes = externaldata(pipe_name: string, metadata_description: string, metadata_tool:string, metadata_category: string, metadata_link: string, metadata_priority:string, metadata_fp_risk: string, metadata_severity: string, metadata_tool_type: string, metadata_usage: string, metadata_comment: string, metadata_reference: string)[@"https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_named_pipe_list.csv"] with (format="csv", ignoreFirstRecord=True);
let StandardizedPipes = NamedPipes
| project pipe_name = replace_string(tolower(pipe_name), "*", "");
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "NamedPipeEvent"
| extend AdditionalFields_parsed = parse_json(AdditionalFields)
| where split(tolower(AdditionalFields_parsed.PipeName), "\\")[-1] has_any(StandardizedPipes)
| extend PipeName = AdditionalFields_parsed.PipeName, PipeNameChild = split(tolower(AdditionalFields_parsed.PipeName), "\\")[-1], FileOperation = AdditionalFields_parsed.FileOperation, NamedPipeEnd = AdditionalFields_parsed.NamedPipeEnd
| project-reorder Timestamp, PipeName, FileOperation, DeviceName, AccountName, NamedPipeEndAbout this query
Explanation
This query is designed to detect potentially malicious software activity by monitoring named pipe events in your environment. Named pipes are a method of inter-process communication, and certain named pipes can be indicative of malicious activity.
Here's a simplified breakdown of the query:
-
Data Source: The query uses a list of known suspicious named pipes from an external CSV file hosted on GitHub. This list is used as a reference to identify potentially harmful named pipes.
-
Data Processing:
- The named pipes from the CSV are standardized by converting them to lowercase and removing any wildcard characters.
- The query then looks at the
DeviceEventstable for any events related to named pipes that have occurred in the last 24 hours.
-
Filtering:
- It specifically filters for events where the action type is "NamedPipeEvent".
- It checks if the name of the pipe involved in the event matches any of the standardized suspicious pipe names.
-
Output:
- If a match is found, it extracts and displays relevant details such as the timestamp of the event, the full pipe name, the operation performed, the device name, the account name, and the endpoint of the named pipe.
This query helps in identifying and investigating potentially malicious software executions by focusing on named pipe activities that match known suspicious patterns.
Details

Bert-Jan Pals
Released: December 11, 2024
Tables
Keywords
Operators