T1559 Microsoft Sentinel · KQL

Detect Inter-Process Communication in Microsoft Sentinel

Adversaries may abuse inter-process communication (IPC) mechanisms for local code execution, command-and-control channel establishment, or lateral movement. IPC mechanisms allow processes to share data, communicate, or synchronize execution. On Windows, adversaries commonly abuse named pipes to relay commands between C2 framework components (Havoc SMB demon, Cobalt Strike pipe-based beacons, Metasploit named pipe stagers), move data between kernel and user mode components (Uroburos/Snake malware), or pipe output from arbitrary commands to a controlling process (LunarWeb, ROADSWEEP, OilBooster). The IPC$ administrative share provides a network-accessible path for named pipe connections, enabling cross-host pipe-based C2 (HyperStack, Cobalt Strike lateral movement). On Linux and macOS, adversaries leverage Unix domain sockets (PITSTOP), shared memory segments via shmget (RotaJakiro), and anonymous pipes for inter-process communication. Medusa Ransomware and Cyclops Blink use the CreatePipe API to coordinate parallel operations. Raspberry Robin embeds a Tor client that communicates with its main payload via shared process memory. Detection focuses on named pipe creation by high-risk processes, non-standard pipe names matching known C2 framework patterns, and unusual network-based IPC$ share access.

MITRE ATT&CK

Tactic
Execution
Technique
T1559 Inter-Process Communication
Canonical reference
https://attack.mitre.org/techniques/T1559/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPipePatterns = dynamic([
    "postex_", "meterpreter", "msf-pipe", "cobaltstrike", "havoc_",
    "MSSE-", "dsniff", "win_svc_pipe", "agent_pipe", "status_",
    "msagent_", "mojo_fuzz", "winsock_pipe"
]);
let CommonSystemPipes = dynamic([
    "srvsvc", "wkssvc", "netlogon", "samr", "lsarpc", "spoolss",
    "browser", "epmapper", "MsFteWds", "atsvc", "trkwks", "W32TIME_ALT",
    "svcctl", "eventlog", "InitShutdown", "winreg", "protected_storage",
    "ROUTER", "LSM_API_service", "IPCDump"
]);
let HighRiskProcesses = dynamic([
    "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe",
    "powershell.exe", "pwsh.exe", "certutil.exe", "msiexec.exe", "dllhost.exe"
]);
// Detection 1: Non-standard named pipe access over IPC$ network share (Security Event 5145)
// This covers remote lateral movement and C2 relaying via named pipe tunneling
let NetworkIPCPipeAccess = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 5145
| where ShareName contains "IPC$"
| where RelativeTargetName !in~ (CommonSystemPipes)
| where IpAddress !in ("127.0.0.1", "::1", "-", "0.0.0.0")
| where SubjectUserName !endswith "$"  // Exclude expected machine account traffic
| extend PipeName = tostring(RelativeTargetName)
| extend IsSuspiciousPipeName = PipeName has_any (SuspiciousPipePatterns)
| extend DetectionSource = "IPC$NetworkPipeAccess"
| project
    TimeGenerated,
    Computer,
    AccountName = SubjectUserName,
    Domain = SubjectDomainName,
    PipeName,
    IsSuspiciousPipeName,
    DetectionSource,
    SourceAddress = IpAddress,
    SourcePort = IpPort,
    AccessMask;
// Detection 2: High-risk process initiating SMB connections (potential pipe tunnel establishment)
let HighRiskSMBPipeConn = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where InitiatingProcessFileName has_any (HighRiskProcesses)
| extend PipeName = ""
| extend IsSuspiciousPipeName = false
| extend DetectionSource = "HighRiskProcessSMBPipe"
| project
    TimeGenerated = Timestamp,
    Computer = DeviceName,
    AccountName,
    Domain = "",
    PipeName,
    IsSuspiciousPipeName,
    DetectionSource,
    SourceAddress = LocalIP,
    SourcePort = LocalPort,
    AccessMask = "",
    InitiatingProcess = InitiatingProcessFileName,
    InitiatingCommandLine = InitiatingProcessCommandLine,
    RemoteIP,
    RemotePort;
// Combine both detections
NetworkIPCPipeAccess
| extend InitiatingProcess = "", InitiatingCommandLine = "", RemoteIP = "", RemotePort = int(null)
| union HighRiskSMBPipeConn
| sort by TimeGenerated desc
high severity medium confidence

Detects suspicious inter-process communication abuse via two complementary methods. First, monitors Security Event ID 5145 (network share object access) for access to non-standard named pipes over the IPC$ share from non-machine accounts and non-loopback addresses — the primary signal for C2 frameworks using named pipe tunneling for lateral movement (Cobalt Strike, Havoc, Metasploit). Standard Windows system pipes (srvsvc, lsarpc, samr, etc.) are excluded to reduce noise. Known malicious pipe name patterns are flagged with IsSuspiciousPipeName=true for immediate escalation. Second, identifies high-risk LOLBin and scripting processes initiating SMB connections to port 445, which may indicate pipe-based C2 channel setup or remote pipe access for lateral movement. Requires Security Event auditing with 'Detailed File Share' audit policy enabled.

Data Sources

Network Share: Network Share AccessNetwork Traffic: Network Connection CreationWindows Security Event ID 5145Microsoft Defender for Endpoint DeviceNetworkEvents

Required Tables

SecurityEventDeviceNetworkEvents

False Positives & Tuning

  • Legitimate administrative tools using IPC$ for remote management — PsExec, SC.exe, remote registry operations, and WMI will access standard pipes like svcctl and winreg over IPC$
  • Backup and monitoring agents (Veeam, Zabbix, SolarWinds) that use named pipes for inter-process coordination or query Windows services via SMB
  • Software deployment systems (SCCM, Intune) connecting to IPC$ shares on managed endpoints for policy application and software push installations
  • Database services (SQL Server) using named pipes as an alternative client connection transport, especially in environments with pipe-based connection strings
  • IT automation platforms (Ansible WinRM, Chef, Puppet) that use SMB and named pipes for remote configuration management on Windows targets
  • EDR and AV products that use named pipes for kernel-user communication may generate pipe creation events from svchost.exe or their own service processes
Download portable Sigma rule (.yml)

Other platforms for T1559

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Named Pipe Server Creation via PowerShell (Simulated C2 Listener)

    Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=argus_ipc_test_pipe, ProcessId=<pid>, User=<current user>. Security Event 4688 (if process command line auditing is enabled) for the PowerShell invocation.

  2. Test 2Named Pipe with Known C2 Framework Pattern (Cobalt Strike postex_ simulation)

    Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=postex_ssh_8a3f, ProcessId=<pid>. This is the highest-confidence detection trigger — the pipe name exactly matches the Cobalt Strike postex_ pattern.

  3. Test 3IPC$ Named Share Access via Net Use (Remote Pipe Connection Simulation)

    Expected signal: Windows Security Event ID 5145: ShareName=\\*\IPC$, IpAddress=127.0.0.1 (loopback — note: the detection filters loopback by default; modify the IpAddress filter to include 127.0.0.1 to capture this test). Security Event 4624 (logon) for the SMB session establishment. Sysmon Event ID 3 for the network connection on port 445 from cmd.exe.

  4. Test 4Anonymous Pipe Process Output Capture (OilBooster/ROADSWEEP Pattern)

    Expected signal: Sysmon Event ID 1 (Process Create): Parent Image=powershell.exe, Child Image=whoami.exe, ParentCommandLine contains 'RedirectStandardOutput'. Security Event 4688 (if command line auditing enabled) for whoami.exe creation with parent PID of the PowerShell process. Note: anonymous pipes do NOT generate Sysmon Event ID 17 — they are transient kernel objects with no name.

  5. Test 5Unix Domain Socket Listener (Linux IPC Abuse Simulation)

    Expected signal: Linux auditd (if configured with AF_UNIX socket rules): SYSCALL record for socket() with a0=1 (AF_UNIX), SYSCALL record for bind() with the socket path, SYSCALL record for listen(). Syslog/EDR process creation event for python3 with the IPC-related command arguments. File creation event for /tmp/argus_uds_test.sock. Check with: 'lsof /tmp/argus_uds_test.sock' or 'ss -xln | grep argus' while the script is running.

Last updated: 2026-04-21 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1559 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1559.001Component Object ModelT1559.002Dynamic Data ExchangeT1559.003XPC ServicesT1021.002SMB/Windows Admin SharesT1055Process InjectionT1090ProxyT1570Lateral Tool TransferT1134.001Token Impersonation/TheftT1543.003Windows ServiceT1047Windows Management Instrumentation

Same Tactic: Execution

Popular Detections