heroui logo

Windows Anonymous Pipe Activity

Splunk Security Content

View Source
Summary
The Windows Anonymous Pipe Activity analytic is designed to detect the creation and connection of anonymous pipes in a Windows environment, which can indicate potential malicious activity. Anonymous pipes are often used for inter-process communication (IPC) by legitimate applications and services for data transfer between related processes. However, they can be exploited by attackers for stealthy operations such as process injection, command-and-control (C2) communication, credential theft, and privilege escalation. This detection rule focuses on monitoring unusual anonymous pipe activity, especially from non-system processes, unsigned executables, and atypical parent-child process relationships. Despite having legitimate contexts like software installers or security tools, high-frequency or unusual patterns warrant investigation for possible malware presence, persistence tactics, or lateral movements within the network.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Windows Registry
ATT&CK Techniques
  • T1559
Created: 2025-02-11