read pipe

rule:
  meta:
    name: read pipe
    namespace: communication/named-pipe/read
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
    description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output.
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Communication::Interprocess Communication::Read Pipe [C0003.003]
    examples:
      - Practical Malware Analysis Lab 14-02.exe_:0x4014C0
  features:
    - or:
      - and:
        - api: kernel32.PeekNamedPipe
        - api: kernel32.ReadFile
      - api: kernel32.TransactNamedPipe
        description: writes and reads pipe in single operation
      - api: kernel32.CallNamedPipe
        description: connects, writes, and reads pipe in single operation