aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 13:24:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
224a0013d7a08af66f165aaf05d073b2263dccb3
Ares-mythic/documentation-payload/apollo/commands/listpipes.md
Aryma 2f05f67733 first commit
2026-04-14 12:17:24 +07:00

3.5 KiB
Raw Blame History

+++ title = "listpipes" chapter = false weight = 150 hidden = false +++

Summary

The listpipes function enumerates all named pipes on the local Windows host using the FindFirstFileW API on the \\.\\pipe\\* namespace. Named pipes are commonly used for inter-process communication (IPC), and this function helps discover active communication endpoints used by system services, applications, or malicious software.

  • Needs Admin: False
  • Version: 1
  • Author: @ToweringDragoon

Arguments

This command takes no arguments.

Usage

Example: Listing Named Pipes on the Local Machine

Command:

listpipes

Output:

Found 56 named pipes:
InitShutdown
lsass
ntsvcs
scerpc
spoolss
wkssvc
srvsvc
...

MITRE ATT&CK Mapping

  • T1083 - File and Directory Discovery (As named pipes are part of the Windows object namespace)

Detailed Summary

The listpipes task queries the Windows named pipe namespace using the FindFirstFileW("\\\\.\\pipe\\*") API. This method allows the agent to list active named pipe objects from user mode without relying on NT Native API calls like NtQueryDirectoryObject, which often fail or require elevated access.

Functional Steps:

  1. Initialize Pipe Search:

    • Calls FindFirstFileW("\\.\\pipe\\*") to begin enumeration of named pipe objects.

  2. Iterate Through Pipe Names:

    • Uses FindNextFileW in a loop to collect all entries under the \\.\\pipe\\ namespace.

  3. Filter Results:

    • Trims null terminators.
    • Filters out invalid or malformed names (though the default implementation includes everything unless manually filtered).

  4. Return Results:

    • Aggregates all valid pipe names and returns a summary string in the format: Found X named pipes: followed by newline-separated pipe names.

  5. Error Handling:

    • If FindFirstFileW fails, the function throws an exception with the associated Win32 error code.

APIs Used and Their Purposes

API Purpose DLL Documentation
FindFirstFileW Begins enumeration of pipe names under \\.\\pipe\\ kernel32.dll FindFirstFileW
FindNextFileW Continues enumeration of named pipes kernel32.dll FindNextFileW
FindClose Closes the pipe enumeration handle kernel32.dll FindClose
Marshal.GetLastWin32Error Captures last error code after Win32 API failure mscorlib.dll GetLastWin32Error

Considerations

  • Permissions: This command does not require administrative privileges. However, access to specific pipes may still be restricted based on ACLs.
  • OPSEC: Enumerating named pipes may cause suspicious handle access logs to appear in security monitoring tools or EDRs.
  • Performance: This is a lightweight operation and generally completes quickly unless the system has an extremely large number of named pipes.

References

Reference in New Issue View Git Blame Copy Permalink