# T1559 Inter-Process Communication

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. 

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)

## Technique Detection

Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Windows

  * macOS

  * Linux

### Adversary Required Permissions:

  * Administrator

  * User

  * SYSTEM

### Data Sources:

  * **Module:** Module Load

  * **Process:** Process Creation

  * **Script:** Script Execution

  * **Process:** Process Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1559)

  * [Linux Ipc](https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.), N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022.

  * [Fireeye Hunting Com June 2019](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html), Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- These application have been used by attackers historically to bypass protections due to these being "Trusted" applications. COM objects have been used by adversaries allowing them to bypass certain "detections" based on a "Trust" relationship with the applications being referenced by the COM object.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Detailed understanding of Windows Internals and how IPC mechanisms work are needed to create better analytics. Some IOCs created by these techniques require a EDR solution to be installed on the machine to query the OS for data that is not being received by logs. For instance, when chaining COM execution with Parent Process Spoofing and Command Line Spoofing capabilities it becomes hard to detect what is normal from malicious. 

## Analytical References

  * https://ipc-research.readthedocs.io/en/latest/subpages/RPC.html
* https://cyberpolygon.com/materials/hunting-for-advanced-tactics-techniques-and-procedures-ttps/
* https://docs.microsoft.com/en-us/windows/win32/ipc/interprocess-communications
* https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
* http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html
* https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
* https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
* https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html
* https://docs.microsoft.com/en-us/windows/win32/midl/com-dcom-and-type-libraries
* https://posts.specterops.io/utilizing-rpc-telemetry-7af9ea08a1d5

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'COM: Internet Explorer Manipulation'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'From a Initial Access perspective an adversary can use IPC mechanisms to avoid detection for code execution. For example, a phishing email containing a malicious macro can avoid suspicious application behavior (Office spawning cmd/powershell) and even unusual network traffic by leveraging the appropriate COM objects. By leveraging COM, they can disguise their execution behind a valid Windows Process that would normally execute their request. By monitoring ImageLoad events with Sysmon you can detect usage of an attacker trying to leverage a function from Internet Explorer from Microsoft Office. For an application to use Internet Explorer's ability to download files through the COM object the process must first load the "ieproxy.dll".'

  * **Query:** ```event_type: ImageLoad AND file_path:"*\\ieproxy.dll" AND proc_file_path:("\\cscript.exe" OR "\\wscript.exe" OR "\\powershell.exe" OR "\\winword.exe" OR "\\excel.exe" "\\powerpnt.exe" OR "\\mspub.exe" OR "\\visio.exe" OR "\\msaccess.exe" OR "\\regsvr32.exe")```

#### Analytic 2

  * **Information:** 'COM: Delayed Execution with Scheduled Task'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Example of Malware utilizing scheduled task to separate the chain of execution activity to allow next phase to occur sometime in the future.'

  * **Query:** ```event_type: ImageLoad AND file_path: "*\\taskschd.dll" AND proc_file_path:("\\cscript.exe" OR "\\wscript.exe" OR "\\powershell.exe" OR "\\winword.exe" OR "\\excel.exe" "\\powerpnt.exe" OR "\\mspub.exe" OR "\\visio.exe" OR "\\msaccess.exe" OR "\\regsvr32.exe")```

#### Analytic 3

  * **Information:** 'Named Pipe: Execution and Lateral Movement'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Monitoring for Named Pipe Creation (17) and Named Pipe Connected (18) may have a higher false positive rate depending on the applications running. Monitoring for events surrounding this such as event_id: 1 or event_id: 3 can also help determine if execution was local or remote.'

  * **Query:** ```event_id: 17, 18```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

