T1559: Inter-Process Communication
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.
Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Linux environments support several different IPC mechanisms, two of which being sockets and pipes. Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.
Positive Technologies products that cover the technique
Detection
PT NAD can detect abuse of inter-process communication (IPC) mechanisms using detection rules and a special module of the activity stream. These mechanisms include COM, DDE, and pipes.
Examples of PT NAD detection rules
- ATTACK AD [PTsecurity] Command execution via DCOMExec impacket (sid 10003422)
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0009 | Data source and component | Process: Process Access | Description | Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that are associated with abuse of IPC mechanisms |
---|
Mitigation
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. |
---|
ID | M1054 | Name | Software Configuration | Description | Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View. |
---|
ID | M1048 | Name | Application Isolation and Sandboxing | Description | Ensure all COM alerts and Protected View are enabled. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
---|
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. |
---|
ID | M1013 | Name | Application Developer Guidance | Description | Enable the Hardened Runtime capability when developing applications. Do not include the |
---|