EDR: How To Detect Named Pipes for File Creation Events
search cancel

EDR: How To Detect Named Pipes for File Creation Events

book

Article ID: 290989

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to locate named pipes for file creation events.
 

Environment

EDR Sensor: Version 7.3.0 and Higher

Resolution

  1. In the Console -> Process Search page, search recently executed processes for 'NamedPipeServer.exe' and/or 'NamedPipeClient.exe'
  2. Click on the process name and navigate to the Process Analysis page
  3. Locate the filemod create event for namedpipe under the 'NamedPipeServer.exe' entry (pipe name is : \device\namedpipe\cbnamedpipe)

Additional Information

  • The 7.3.0 EDR Sensor has been updated to report named pipes for file creation events.
Powered by Wolken Software