Which SIEM platforms have a T1559 detection rule?

df00tech provides T1559 (Inter-Process Communication) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1559 detection?

The T1559 detection is rated high severity with medium confidence.

What are common false positives for T1559?

Common false positives for T1559 include: Legitimate administrative tools using IPC$ for remote management — PsExec, SC.exe, remote registry operations, and WMI will access standard pipes like svcctl and winreg over IPC$; Backup and monitoring agents (Veeam, Zabbix, SolarWinds) that use named pipes for inter-process coordination or query Windows services via SMB; Software deployment systems (SCCM, Intune) connecting to IPC$ shares on managed endpoints for policy application and software push installations.

T1559

Inter-Process Communication

Q: What data sources are required to detect Inter-Process Communication (T1559)?

Detecting Inter-Process Communication requires the following data sources: Network Share: Network Share Access, Network Traffic: Network Connection Creation, Windows Security Event ID 5145, Microsoft Defender for Endpoint DeviceNetworkEvents.

Execution Last updated: April 21, 2026

Adversaries may abuse inter-process communication (IPC) mechanisms for local code execution, command-and-control channel establishment, or lateral movement. IPC mechanisms allow processes to share data, communicate, or synchronize execution. On Windows, adversaries commonly abuse named pipes to relay commands between C2 framework components (Havoc SMB demon, Cobalt Strike pipe-based beacons, Metasploit named pipe stagers), move data between kernel and user mode components (Uroburos/Snake malware), or pipe output from arbitrary commands to a controlling process (LunarWeb, ROADSWEEP, OilBooster). The IPC$ administrative share provides a network-accessible path for named pipe connections, enabling cross-host pipe-based C2 (HyperStack, Cobalt Strike lateral movement). On Linux and macOS, adversaries leverage Unix domain sockets (PITSTOP), shared memory segments via shmget (RotaJakiro), and anonymous pipes for inter-process communication. Medusa Ransomware and Cyclops Blink use the CreatePipe API to coordinate parallel operations. Raspberry Robin embeds a Tor client that communicates with its main payload via shared process memory. Detection focuses on named pipe creation by high-risk processes, non-standard pipe names matching known C2 framework patterns, and unusual network-based IPC$ share access.

What is T1559 Inter-Process Communication?

Inter-Process Communication (T1559) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Inter-Process Communication, covering the data sources and telemetry it touches: Network Share: Network Share Access, Network Traffic: Network Connection Creation, Windows Security Event ID 5145, Microsoft Defender for Endpoint DeviceNetworkEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Technique: T1559 Inter-Process Communication
Canonical reference: https://attack.mitre.org/techniques/T1559/

Microsoft Sentinel / Defender

kusto

let SuspiciousPipePatterns = dynamic([
    "postex_", "meterpreter", "msf-pipe", "cobaltstrike", "havoc_",
    "MSSE-", "dsniff", "win_svc_pipe", "agent_pipe", "status_",
    "msagent_", "mojo_fuzz", "winsock_pipe"
]);
let CommonSystemPipes = dynamic([
    "srvsvc", "wkssvc", "netlogon", "samr", "lsarpc", "spoolss",
    "browser", "epmapper", "MsFteWds", "atsvc", "trkwks", "W32TIME_ALT",
    "svcctl", "eventlog", "InitShutdown", "winreg", "protected_storage",
    "ROUTER", "LSM_API_service", "IPCDump"
]);
let HighRiskProcesses = dynamic([
    "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe",
    "powershell.exe", "pwsh.exe", "certutil.exe", "msiexec.exe", "dllhost.exe"
]);
// Detection 1: Non-standard named pipe access over IPC$ network share (Security Event 5145)
// This covers remote lateral movement and C2 relaying via named pipe tunneling
let NetworkIPCPipeAccess = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 5145
| where ShareName contains "IPC$"
| where RelativeTargetName !in~ (CommonSystemPipes)
| where IpAddress !in ("127.0.0.1", "::1", "-", "0.0.0.0")
| where SubjectUserName !endswith "$"  // Exclude expected machine account traffic
| extend PipeName = tostring(RelativeTargetName)
| extend IsSuspiciousPipeName = PipeName has_any (SuspiciousPipePatterns)
| extend DetectionSource = "IPC$NetworkPipeAccess"
| project
    TimeGenerated,
    Computer,
    AccountName = SubjectUserName,
    Domain = SubjectDomainName,
    PipeName,
    IsSuspiciousPipeName,
    DetectionSource,
    SourceAddress = IpAddress,
    SourcePort = IpPort,
    AccessMask;
// Detection 2: High-risk process initiating SMB connections (potential pipe tunnel establishment)
let HighRiskSMBPipeConn = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where InitiatingProcessFileName has_any (HighRiskProcesses)
| extend PipeName = ""
| extend IsSuspiciousPipeName = false
| extend DetectionSource = "HighRiskProcessSMBPipe"
| project
    TimeGenerated = Timestamp,
    Computer = DeviceName,
    AccountName,
    Domain = "",
    PipeName,
    IsSuspiciousPipeName,
    DetectionSource,
    SourceAddress = LocalIP,
    SourcePort = LocalPort,
    AccessMask = "",
    InitiatingProcess = InitiatingProcessFileName,
    InitiatingCommandLine = InitiatingProcessCommandLine,
    RemoteIP,
    RemotePort;
// Combine both detections
NetworkIPCPipeAccess
| extend InitiatingProcess = "", InitiatingCommandLine = "", RemoteIP = "", RemotePort = int(null)
| union HighRiskSMBPipeConn
| sort by TimeGenerated desc

Detects suspicious inter-process communication abuse via two complementary methods. First, monitors Security Event ID 5145 (network share object access) for access to non-standard named pipes over the IPC$ share from non-machine accounts and non-loopback addresses — the primary signal for C2 frameworks using named pipe tunneling for lateral movement (Cobalt Strike, Havoc, Metasploit). Standard Windows system pipes (srvsvc, lsarpc, samr, etc.) are excluded to reduce noise. Known malicious pipe name patterns are flagged with IsSuspiciousPipeName=true for immediate escalation. Second, identifies high-risk LOLBin and scripting processes initiating SMB connections to port 445, which may indicate pipe-based C2 channel setup or remote pipe access for lateral movement. Requires Security Event auditing with 'Detailed File Share' audit policy enabled.

high severity medium confidence

Data Sources

Network Share: Network Share Access Network Traffic: Network Connection Creation Windows Security Event ID 5145 Microsoft Defender for Endpoint DeviceNetworkEvents

Required Tables

SecurityEvent DeviceNetworkEvents

False Positives

Legitimate administrative tools using IPC$ for remote management — PsExec, SC.exe, remote registry operations, and WMI will access standard pipes like svcctl and winreg over IPC$
Backup and monitoring agents (Veeam, Zabbix, SolarWinds) that use named pipes for inter-process coordination or query Windows services via SMB
Software deployment systems (SCCM, Intune) connecting to IPC$ shares on managed endpoints for policy application and software push installations
Database services (SQL Server) using named pipes as an alternative client connection transport, especially in environments with pipe-based connection strings
IT automation platforms (Ansible WinRM, Chef, Puppet) that use SMB and named pipes for remote configuration management on Windows targets
EDR and AV products that use named pipes for kernel-user communication may generate pipe creation events from svchost.exe or their own service processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=17 OR EventCode=18)
| eval EventType=case(EventCode==17, "PipeCreated", EventCode==18, "PipeConnected", true(), "Unknown")
| eval PipeNameLower=lower(PipeName)
| eval SuspiciousPipeName=if(match(PipeNameLower,
    "(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|msse-[0-9]+|dsniff|win_svc_pipe|agent_pipe|status_[0-9]+|msagent_|mojo_fuzz)"),
    1, 0)
| eval KnownSystemPipe=if(match(PipeNameLower,
    "(srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|msfteWds|atsvc|trkwks|w32time|svcctl|eventlog|initshutdown|winreg|protected_storage|router)"),
    1, 0)
| eval SuspiciousCreator=if(match(lower(Image),
    "(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)"),
    1, 0)
| eval UnexpectedCreator=if(match(lower(Image),
    "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe|acrobat\.exe)"),
    1, 0)
| eval RiskScore=(SuspiciousPipeName * 4) + (SuspiciousCreator * 2) + (UnexpectedCreator * 3) + if(KnownSystemPipe=0, 1, 0)
| where RiskScore >= 2
| table _time, host, EventType, PipeName, Image, ProcessId, User,
        SuspiciousPipeName, SuspiciousCreator, UnexpectedCreator, KnownSystemPipe, RiskScore
| sort - RiskScore, - _time

Detects suspicious named pipe creation and connection activity using Sysmon Event ID 17 (Pipe Created) and Event ID 18 (Pipe Connected). Assigns a weighted risk score across four indicator categories: known C2 framework pipe name patterns matching strings used by Cobalt Strike (postex_), Metasploit (meterpreter, msf-pipe, MSSE-), and Havoc (havoc_) get +4 points; high-risk process creators like scripting hosts and LOLBins get +2 points; unexpected creators like Office applications (potential exploit/macro abuse) get +3 points; and deviation from known system pipe names gets +1 point. Events scoring 2 or higher are surfaced, prioritizing multi-indicator matches. Requires Sysmon v10.x or later configured with PipeEvent rules (EventCode 17 and/or 18) enabled in the Sysmon configuration XML.

high severity medium confidence

Data Sources

Named Pipe: Named Pipe Creation Named Pipe: Named Pipe Connection Sysmon Event ID 17 (PipeEvent - CreatePipe) Sysmon Event ID 18 (PipeEvent - ConnectPipe)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Chromium-based browsers (Chrome, Edge, Electron apps) generate extremely high volumes of named pipe creation for IPC between renderer, GPU, network, and browser processes — expect hundreds of pipe events from these processes daily
Development tools like Visual Studio, VSCode, JetBrains IDEs, and build systems (MSBuild, CMake) create named pipes for debugger attachment, language server communication, and inter-process coordination
SQL Server and other database engines create named pipes for local and remote client connections when pipe transport is configured
Security products (CrowdStrike Falcon, SentinelOne, Carbon Black) create named pipes for sensor-to-service and kernel-to-user communication; their processes will generate events from svchost.exe or dedicated service executables
Docker Desktop on Windows uses named pipes for communication between the WSL2 VM and the Windows host, generating volume from com.docker.service and dockerd processes

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [network where event.action == "network_connection" and destination.port == 445 and
   process.name in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe",
                      "powershell.exe", "pwsh.exe", "certutil.exe", "msiexec.exe", "dllhost.exe") and
   not destination.ip in ("127.0.0.1", "::1")]
  [file where event.action == "creation" and
   file.path like~ "*\\pipe\\*" and
   not file.name in~ ("srvsvc", "wkssvc", "netlogon", "samr", "lsarpc", "spoolss", "browser",
                      "epmapper", "MsFteWds", "atsvc", "trkwks", "W32TIME_ALT",
                      "svcctl", "eventlog", "InitShutdown", "winreg", "protected_storage")]

OR

any where event.category == "file" and
  file.path like~ "*\\pipe\\*" and
  (
    file.name like~ "*postex_*" or
    file.name like~ "*meterpreter*" or
    file.name like~ "*msf-pipe*" or
    file.name like~ "*cobaltstrike*" or
    file.name like~ "*havoc_*" or
    file.name like~ "*MSSE-*" or
    file.name like~ "*win_svc_pipe*" or
    file.name like~ "*agent_pipe*" or
    file.name like~ "*mojo_fuzz*" or
    file.name like~ "*winsock_pipe*"
  )

Detects Inter-Process Communication abuse via named pipe creation by high-risk processes or known C2 framework pipe name patterns. Sequences high-risk process SMB connections with subsequent named pipe file events, and independently flags known malicious pipe name patterns associated with Cobalt Strike, Metasploit, Havoc C2, and other offensive tooling.

high severity medium confidence

Data Sources

Windows Sysmon Elastic Endpoint Security Windows Security Event Log

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate administrative tools using SMB named pipes for remote management such as PsExec, WMI, or DCOM operations that create temporary pipe names
Security testing platforms and vulnerability scanners that enumerate or connect to named pipes as part of authorized assessments
Development and debugging environments where custom pipe names are created by application frameworks or build tools running under scripting host processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "FileName" AS pipe_name,
  "ProcessName" AS initiating_process,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN LOWER("FileName") MATCHES '(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|msse-[0-9]+|win_svc_pipe|agent_pipe|mojo_fuzz|winsock_pipe)' THEN 4
    ELSE 0
  END +
  CASE
    WHEN LOWER("ProcessName") MATCHES '(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)' THEN 2
    ELSE 0
  END +
  CASE
    WHEN LOWER("ProcessName") MATCHES '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe|acrobat\.exe)' THEN 3
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 40, 143, 191)
  AND starttime > NOW() - 86400000
  AND (
    ("EventID" = '17' OR "EventID" = '18')
    AND "FileName" IS NOT NULL
    AND LOWER("FileName") NOT MATCHES '(srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|msfteWds|atsvc|trkwks|w32time|svcctl|eventlog|initshutdown|winreg|protected_storage|router)'
  )
  AND (
    LOWER("FileName") MATCHES '(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|msse-[0-9]+|win_svc_pipe|agent_pipe|mojo_fuzz)'
    OR LOWER("ProcessName") MATCHES '(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)'
    OR LOWER("ProcessName") MATCHES '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe)'
  )
ORDER BY risk_score DESC, starttime DESC

AQL query for IBM QRadar that detects named pipe creation and connection events (Sysmon EventID 17/18) with risk scoring across three dimensions: known C2 framework pipe name patterns (Cobalt Strike, Metasploit, Havoc), high-risk process creators (LOLBins and scripting engines), and unexpected document application creators (Office suite, PDF readers). Events scoring >= 2 are surfaced, with higher risk scores indicating stronger indicators of IPC abuse for C2 or lateral movement.

high severity medium confidence

Data Sources

Windows Sysmon via QRadar DSM Windows Security Event Log

Required Tables

events

False Positives

Automated patch management or software deployment systems that use PowerShell or msiexec.exe to install software that creates named pipes during installation
Enterprise endpoint detection and response agents that create named pipes for inter-component communication using scripting host processes
Legitimate penetration testing or red team exercises using Cobalt Strike or Metasploit under authorized change control

Sumo Logic CSE

sql

// Named pipe creation/connection detection with risk scoring for T1559 IPC abuse
_sourceCategory=*windows*sysmon* (EventCode=17 OR EventCode=18)
| parse "<EventID>*</EventID>" as EventCode
| parse "<Data Name='PipeName'>*</Data>" as PipeName
| parse "<Data Name='Image'>*</Data>" as ProcessImage
| parse "<Data Name='ProcessId'>*</Data>" as ProcessId
| parse "<Data Name='User'>*</Data>" as UserName
| parse "<Data Name='UtcTime'>*</Data>" as EventTime
| eval EventType = if(EventCode == "17", "PipeCreated", "PipeConnected")
| eval PipeNameLower = toLowerCase(PipeName)
| eval SuspiciousPipeName = if(matches(PipeNameLower, "postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|msse-\\d+|dsniff|win_svc_pipe|agent_pipe|status_\\d+|msagent_|mojo_fuzz|winsock_pipe"), 1, 0)
| eval KnownSystemPipe = if(matches(PipeNameLower, "srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|msfteWds|atsvc|trkwks|w32time|svcctl|eventlog|initshutdown|winreg|protected_storage|router"), 1, 0)
| eval ProcessImageLower = toLowerCase(ProcessImage)
| eval SuspiciousCreator = if(matches(ProcessImageLower, "rundll32\\.exe|regsvr32\\.exe|mshta\\.exe|wscript\\.exe|cscript\\.exe|powershell\\.exe|pwsh\\.exe|certutil\\.exe|msiexec\\.exe|dllhost\\.exe"), 1, 0)
| eval UnexpectedCreator = if(matches(ProcessImageLower, "winword\\.exe|excel\\.exe|powerpnt\\.exe|outlook\\.exe|acrord32\\.exe|acrobat\\.exe"), 1, 0)
| eval RiskScore = (SuspiciousPipeName * 4) + (SuspiciousCreator * 2) + (UnexpectedCreator * 3) + if(KnownSystemPipe == 0, 1, 0)
| where RiskScore >= 2
| fields EventTime, _sourceHost, EventType, PipeName, ProcessImage, ProcessId, UserName, SuspiciousPipeName, SuspiciousCreator, UnexpectedCreator, KnownSystemPipe, RiskScore
| sort by RiskScore, _messageTime

Sumo Logic CSE query detecting T1559 IPC abuse through Sysmon named pipe creation (EventCode 17) and connection (EventCode 18) events. Implements a multi-factor risk scoring model: suspicious pipe names matching known C2 frameworks score 4 points, high-risk LOLBin/scripting process creators score 2 points, unexpected document application creators score 3 points, and non-system pipe names add 1 point. Events with cumulative risk score of 2 or higher are surfaced for analyst review.

high severity medium confidence

Data Sources

Windows Sysmon operational log via Sumo Logic collector Windows endpoint agents

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

Software installers using msiexec.exe that create temporary named pipes for IPC between installer components during application setup or update cycles
Legitimate remote administration tools such as PsExec relay components that create uniquely named pipes as part of their normal operation when managed by PowerShell orchestration scripts
Application performance monitoring and tracing agents that hook into scripting engines via named pipes for telemetry collection

Google Chronicle / SecOps

yaral

rule t1559_ipc_named_pipe_abuse {
  meta:
    author = "Argus Detection Platform"
    description = "Detects T1559 Inter-Process Communication abuse via named pipe creation by high-risk processes or known C2 framework pipe name patterns including Cobalt Strike, Metasploit, and Havoc"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution, Lateral Movement, Command and Control"
    mitre_attack_technique = "T1559"
    reference = "https://attack.mitre.org/techniques/T1559/"

  events:
    $pipe_event.metadata.event_type = "FILE_CREATION"
    $pipe_event.target.file.full_path = /\\pipe\\/
    (
      re.regex($pipe_event.target.file.full_path, `(?i)(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|MSSE-\d+|dsniff|win_svc_pipe|agent_pipe|status_\d+|msagent_|mojo_fuzz|winsock_pipe)`)
      OR
      re.regex($pipe_event.principal.process.file.full_path, `(?i)(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe|winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe)`)
    )
    NOT re.regex($pipe_event.target.file.full_path, `(?i)(srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|MsFteWds|atsvc|trkwks|W32TIME_ALT|svcctl|eventlog|InitShutdown|winreg|protected_storage|ROUTER|LSM_API_service)`)

  condition:
    $pipe_event
}

Chronicle YARA-L 2.0 rule for T1559 IPC abuse detection. Monitors FILE_CREATION events targeting Windows named pipe paths, triggering when either the pipe name matches known C2 framework patterns (Cobalt Strike postex_, Metasploit meterpreter, Havoc havoc_, MSSE- stagers) or when the creating process is a high-risk LOLBin, scripting engine, or unexpected document application. Known legitimate system pipes are excluded to reduce false positive volume.

high severity medium confidence

Data Sources

Windows Sysmon via Chronicle forwarder Google Chronicle UDM

Required Tables

UDM FILE_CREATION events

False Positives

Enterprise automation platforms running PowerShell DSC or Ansible that create named pipes as part of configuration management workflows on managed endpoints
Custom line-of-business applications compiled as DLLs loaded by rundll32.exe that use named pipes for communication between their service and UI components
Security software update mechanisms that use certutil.exe or msiexec.exe with named pipe IPC between downloader and installer stages

CrowdStrike LogScale (CQL)

cql

// T1559 IPC Named Pipe Abuse Detection
// Detection 1: Named pipe creation by high-risk or C2-associated processes
#repo=base_sensor #event_simpleName=PipeCreated
| PipeName = /(?i)(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|MSSE-\d+|dsniff|win_svc_pipe|agent_pipe|status_\d+|msagent_|mojo_fuzz|winsock_pipe)/
| table([timestamp, ComputerName, UserName, PipeName, ImageFileName, ProcessId, ParentBaseFileName])
| rename(field=ImageFileName, as=CreatingProcess)

// Detection 2: High-risk process creating any non-standard pipe
#repo=base_sensor #event_simpleName=PipeCreated
| CreatingProcess = /(?i)(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)/
| not PipeName = /(?i)(srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|MsFteWds|atsvc|trkwks|W32TIME_ALT|svcctl|eventlog|InitShutdown|winreg|protected_storage|ROUTER|LSM_API_service|IPCDump)/
| table([timestamp, ComputerName, UserName, PipeName, ImageFileName, ProcessId, ParentBaseFileName, CommandLine])

// Detection 3: SMB connections from high-risk processes (lateral movement via IPC$)
#repo=base_sensor #event_simpleName=NetworkConnectIP4
| RemotePort=445
| ImageFileName = /(?i)(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)/
| not RemoteAddressIP4 in ["127.0.0.1", "0.0.0.0"]
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4], function=[count(as=ConnectionCount), collectDistinct(RemotePort, as=ports)])
| where ConnectionCount >= 1
| sort(ConnectionCount, order=desc)

CrowdStrike LogScale (CQL) detection for T1559 IPC abuse using three complementary detections: (1) Named pipe creation events matching known C2 framework pipe name patterns from Cobalt Strike, Metasploit, and Havoc; (2) High-risk LOLBin or scripting engine processes creating non-standard named pipes that don't match known system pipe names; (3) SMB port 445 connections from high-risk processes indicating potential IPC$ lateral movement or pipe-based C2 tunneling. Results are correlated by host to identify endpoint compromise patterns.

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor telemetry Falcon PipeCreated events Falcon NetworkConnectIP4 events

Required Tables

#repo=base_sensor #event_simpleName=PipeCreated #repo=base_sensor #event_simpleName=NetworkConnectIP4

False Positives

IT automation and remote management tools such as SCCM client agents that use PowerShell to create named pipes for communicating status back to management infrastructure
Application virtualization platforms that use dllhost.exe or rundll32.exe as host processes for isolated application components that communicate via named pipes
Legitimate penetration testing activity using authorized Cobalt Strike or Metasploit deployments during sanctioned red team engagements covered by a rules of engagement document

Sigma rule & cross-platform mapping

The detection logic for Inter-Process Communication (T1559) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1559 Sigma rules on detection.fyi

Platform-specific guides for T1559

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-21 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Named Pipe Server Creation via PowerShell (Simulated C2 Listener)
Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=argus_ipc_test_pipe, ProcessId=<pid>, User=<current user>. Security Event 4688 (if process command line auditing is enabled) for the PowerShell invocation.
Test 2Named Pipe with Known C2 Framework Pattern (Cobalt Strike postex_ simulation)
Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=postex_ssh_8a3f, ProcessId=<pid>. This is the highest-confidence detection trigger — the pipe name exactly matches the Cobalt Strike postex_ pattern.
Test 3IPC$ Named Share Access via Net Use (Remote Pipe Connection Simulation)
Expected signal: Windows Security Event ID 5145: ShareName=\\*\IPC$, IpAddress=127.0.0.1 (loopback — note: the detection filters loopback by default; modify the IpAddress filter to include 127.0.0.1 to capture this test). Security Event 4624 (logon) for the SMB session establishment. Sysmon Event ID 3 for the network connection on port 445 from cmd.exe.
Test 4Anonymous Pipe Process Output Capture (OilBooster/ROADSWEEP Pattern)
Expected signal: Sysmon Event ID 1 (Process Create): Parent Image=powershell.exe, Child Image=whoami.exe, ParentCommandLine contains 'RedirectStandardOutput'. Security Event 4688 (if command line auditing enabled) for whoami.exe creation with parent PID of the PowerShell process. Note: anonymous pipes do NOT generate Sysmon Event ID 17 — they are transient kernel objects with no name.
Test 5Unix Domain Socket Listener (Linux IPC Abuse Simulation)
Expected signal: Linux auditd (if configured with AF_UNIX socket rules): SYSCALL record for socket() with a0=1 (AF_UNIX), SYSCALL record for bind() with the socket path, SYSCALL record for listen(). Syslog/EDR process creation event for python3 with the IPC-related command arguments. File creation event for /tmp/argus_uds_test.sock. Check with: 'lsof /tmp/argus_uds_test.sock' or 'ss -xln | grep argus' while the script is running.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1559 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Inter-Process Communication

What is T1559 Inter-Process Communication?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1559

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1559 Inter-Process Communication?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1559

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox