Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The NamedPipes command enumerates named pipes on the system, including their security descriptors and associated processes. Named pipes are used for inter-process communication and can be targets for privilege escalation or lateral movement attacks.

Syntax

Seatbelt.exe NamedPipes
This command does not support remote execution.

Output

Returns named pipe information:
  • Pipe name
  • Security descriptor (SDDL)
  • Associated process ID
  • Process name
  • Access control information

Use Cases

  • Identify named pipes for privilege escalation
  • Find impersonation opportunities
  • Discover service communication channels
  • Locate weakly protected pipes
  • Identify C2 communication channels

Example Output

====== NamedPipes ======

Name     : \Device\NamedPipe\lsass
PID      : 712
Process  : lsass.exe
SDDL     : O:SYG:SYD:(A;;0x12019b;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)

Name     : \Device\NamedPipe\MSSQL$SQLEXPRESS\sql\query
PID      : 2156
Process  : sqlservr.exe
SDDL     : O:BAG:BAD:(A;;FA;;;BA)(A;;0x12019f;;;AU)

Remote Execution

This command does NOT support remote execution.

Detection Considerations

Low detection risk - enumerates local named pipes.