Description
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.
Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)
Platforms
Sub-Techniques (3)
Mitigations (6)
Disable or Remove Feature or ProgramM1042
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017)(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.(Citation: Microsoft
Software ConfigurationM1054
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)
Application Isolation and SandboxingM1048
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)
Privileged Account ManagementM1026
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for al
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)
Application Developer GuidanceM1013
Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S1229 | Havoc | Malware | The [Havoc](https://attack.mitre.org/software/S1229) SMB demon can use named pipes for communication through a parent demon.(Citation: Havoc Framework... |
| S1200 | StealBit | Malware | [StealBit](https://attack.mitre.org/software/S1200) can use interprocess communication (IPC) to enable the designation of multiple files for exfiltrat... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) contains an embedded custom [Tor](https://attack.mitre.org/software/S0183) network client t... |
| S1150 | ROADSWEEP | Malware | [ROADSWEEP](https://attack.mitre.org/software/S1150) can pipe command output to a targeted process.(Citation: Mandiant ROADSWEEP August 2022) |
| S1123 | PITSTOP | Malware | [PITSTOP](https://attack.mitre.org/software/S1123) can listen over the Unix domain socket located at `/data/runtime/cockpit/wd.fd`.(Citation: Mandiant... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) has the ability to move data between its kernel and user mode components, generally using named pi... |
| S0537 | HyperStack | Malware | [HyperStack](https://attack.mitre.org/software/S0537) can connect to the IPC$ share on remote machines.(Citation: Accenture HyperStack October 2020) |
| S1172 | OilBooster | Malware | [OilBooster](https://attack.mitre.org/software/S1172) can read the results of command line execution via an unnamed pipe connected to the process.(Cit... |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has leveraged the `CreatePipe` API to enable inter-process communication.(Citation: Secur... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process.(Ci... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) has the ability to create a pipe to enable inter-process communication.(Citation: Trend Micro... |
| S1078 | RotaJakiro | Malware | When executing with non-root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) uses the the `shmget API` to create shared memory betw... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can retrieve output from arbitrary processes and shell commands via a pipe.(Citation: ESET Turla L... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) can use pipes to redirect the standard input and the standard output.(Citation: Kaspersky ToddyCat Ju... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has facilitated inter-process communication between DLL components via the use of pipes.(Citation... |
References
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022.
Frequently Asked Questions
What is T1559 (Inter-Process Communication)?
T1559 is a MITRE ATT&CK technique named 'Inter-Process Communication'. It belongs to the Execution tactic(s). Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize ex...
How can T1559 be detected?
Detection of T1559 (Inter-Process Communication) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1559?
There are 6 documented mitigations for T1559. Key mitigations include: Disable or Remove Feature or Program, Software Configuration, Application Isolation and Sandboxing, Privileged Account Management, Behavior Prevention on Endpoint.
Which threat groups use T1559?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.