PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1559: Inter-Process Communication

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Linux environments support several different IPC mechanisms, two of which being sockets and pipes. Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.

Positive Technologies products that cover the technique

Detection

PT NAD can detect abuse of inter-process communication (IPC) mechanisms using detection rules and a special module of the activity stream. These mechanisms include COM, DDE, and pipes.

Examples of PT NAD detection rules

  • ATTACK AD [PTsecurity] Command execution via DCOMExec impacket (sid 10003422)

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0009Data source and componentProcess: Process AccessDescription

Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that are associated with abuse of IPC mechanisms

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.

IDM1054NameSoftware ConfigurationDescription

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.

IDM1048NameApplication Isolation and SandboxingDescription

Ensure all COM alerts and Protected View are enabled.

IDM1026NamePrivileged Account ManagementDescription

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.

IDM1013NameApplication Developer GuidanceDescription

Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.