Which protocol is being exploited by malware that connects to named pipes?

Malware exploiting named pipes typically leverages the Server Message Block (SMB) protocol. Named pipes are a method of inter-process communication on Windows systems, allowing different processes to communicate with each other. SMB is a network file sharing protocol that enables applications to read and write to files and request services from server programs. It also allows for communication between processes over the network.

Because SMB supports named pipes, malware can utilize this functionality to interact with ongoing processes on a network, facilitating unauthorized access, data exfiltration, or remote code execution. This makes SMB particularly attractive to attackers, as it can enable lateral movement within an environment, allowing them to access resources or data that may otherwise be protected.

In contrast, other protocols like HTTP, FTP, and SSH do not inherently utilize named pipes for communication in the same way SMB does. HTTP is primarily used for web traffic, FTP for file transfer, and SSH for secure shell access; none of these protocols provide the same level of inter-process communication through named pipes as SMB does.