Skip to main content

Overview

The NamedPipes command enumerates named pipes on the system, including their security descriptors and associated processes. Named pipes are used for inter-process communication and can be targets for privilege escalation or lateral movement attacks.

Syntax

Seatbelt.exe NamedPipes
This command does not support remote execution.

Output

Returns named pipe information:
  • Pipe name
  • Security descriptor (SDDL)
  • Associated process ID
  • Process name
  • Access control information

Use Cases

  • Red Team
  • Blue Team
  • Identify named pipes for privilege escalation
  • Find impersonation opportunities
  • Discover service communication channels
  • Locate weakly protected pipes
  • Identify C2 communication channels

Example Output

====== NamedPipes ======

Name     : \Device\NamedPipe\lsass
PID      : 712
Process  : lsass.exe
SDDL     : O:SYG:SYD:(A;;0x12019b;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)

Name     : \Device\NamedPipe\MSSQL$SQLEXPRESS\sql\query
PID      : 2156
Process  : sqlservr.exe
SDDL     : O:BAG:BAD:(A;;FA;;;BA)(A;;0x12019f;;;AU)

Remote Execution

This command does NOT support remote execution.

Detection Considerations

Low detection risk - enumerates local named pipes.