Detect Inter-Process Communication in Splunk
Adversaries may abuse inter-process communication (IPC) mechanisms for local code execution, command-and-control channel establishment, or lateral movement. IPC mechanisms allow processes to share data, communicate, or synchronize execution. On Windows, adversaries commonly abuse named pipes to relay commands between C2 framework components (Havoc SMB demon, Cobalt Strike pipe-based beacons, Metasploit named pipe stagers), move data between kernel and user mode components (Uroburos/Snake malware), or pipe output from arbitrary commands to a controlling process (LunarWeb, ROADSWEEP, OilBooster). The IPC$ administrative share provides a network-accessible path for named pipe connections, enabling cross-host pipe-based C2 (HyperStack, Cobalt Strike lateral movement). On Linux and macOS, adversaries leverage Unix domain sockets (PITSTOP), shared memory segments via shmget (RotaJakiro), and anonymous pipes for inter-process communication. Medusa Ransomware and Cyclops Blink use the CreatePipe API to coordinate parallel operations. Raspberry Robin embeds a Tor client that communicates with its main payload via shared process memory. Detection focuses on named pipe creation by high-risk processes, non-standard pipe names matching known C2 framework patterns, and unusual network-based IPC$ share access.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1559 Inter-Process Communication
- Canonical reference
- https://attack.mitre.org/techniques/T1559/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=17 OR EventCode=18)
| eval EventType=case(EventCode==17, "PipeCreated", EventCode==18, "PipeConnected", true(), "Unknown")
| eval PipeNameLower=lower(PipeName)
| eval SuspiciousPipeName=if(match(PipeNameLower,
"(postex_|meterpreter|msf-pipe|cobaltstrike|havoc_|msse-[0-9]+|dsniff|win_svc_pipe|agent_pipe|status_[0-9]+|msagent_|mojo_fuzz)"),
1, 0)
| eval KnownSystemPipe=if(match(PipeNameLower,
"(srvsvc|wkssvc|netlogon|samr|lsarpc|spoolss|browser|epmapper|msfteWds|atsvc|trkwks|w32time|svcctl|eventlog|initshutdown|winreg|protected_storage|router)"),
1, 0)
| eval SuspiciousCreator=if(match(lower(Image),
"(rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|powershell\.exe|pwsh\.exe|certutil\.exe|msiexec\.exe|dllhost\.exe)"),
1, 0)
| eval UnexpectedCreator=if(match(lower(Image),
"(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe|acrobat\.exe)"),
1, 0)
| eval RiskScore=(SuspiciousPipeName * 4) + (SuspiciousCreator * 2) + (UnexpectedCreator * 3) + if(KnownSystemPipe=0, 1, 0)
| where RiskScore >= 2
| table _time, host, EventType, PipeName, Image, ProcessId, User,
SuspiciousPipeName, SuspiciousCreator, UnexpectedCreator, KnownSystemPipe, RiskScore
| sort - RiskScore, - _timeDetects suspicious named pipe creation and connection activity using Sysmon Event ID 17 (Pipe Created) and Event ID 18 (Pipe Connected). Assigns a weighted risk score across four indicator categories: known C2 framework pipe name patterns matching strings used by Cobalt Strike (postex_), Metasploit (meterpreter, msf-pipe, MSSE-), and Havoc (havoc_) get +4 points; high-risk process creators like scripting hosts and LOLBins get +2 points; unexpected creators like Office applications (potential exploit/macro abuse) get +3 points; and deviation from known system pipe names gets +1 point. Events scoring 2 or higher are surfaced, prioritizing multi-indicator matches. Requires Sysmon v10.x or later configured with PipeEvent rules (EventCode 17 and/or 18) enabled in the Sysmon configuration XML.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Chromium-based browsers (Chrome, Edge, Electron apps) generate extremely high volumes of named pipe creation for IPC between renderer, GPU, network, and browser processes — expect hundreds of pipe events from these processes daily
- Development tools like Visual Studio, VSCode, JetBrains IDEs, and build systems (MSBuild, CMake) create named pipes for debugger attachment, language server communication, and inter-process coordination
- SQL Server and other database engines create named pipes for local and remote client connections when pipe transport is configured
- Security products (CrowdStrike Falcon, SentinelOne, Carbon Black) create named pipes for sensor-to-service and kernel-to-user communication; their processes will generate events from svchost.exe or dedicated service executables
- Docker Desktop on Windows uses named pipes for communication between the WSL2 VM and the Windows host, generating volume from com.docker.service and dockerd processes
Other platforms for T1559
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Named Pipe Server Creation via PowerShell (Simulated C2 Listener)
Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=argus_ipc_test_pipe, ProcessId=<pid>, User=<current user>. Security Event 4688 (if process command line auditing is enabled) for the PowerShell invocation.
- Test 2Named Pipe with Known C2 Framework Pattern (Cobalt Strike postex_ simulation)
Expected signal: Sysmon Event ID 17 (PipeEvent - CreatePipe): Image=powershell.exe, PipeName=postex_ssh_8a3f, ProcessId=<pid>. This is the highest-confidence detection trigger — the pipe name exactly matches the Cobalt Strike postex_ pattern.
- Test 3IPC$ Named Share Access via Net Use (Remote Pipe Connection Simulation)
Expected signal: Windows Security Event ID 5145: ShareName=\\*\IPC$, IpAddress=127.0.0.1 (loopback — note: the detection filters loopback by default; modify the IpAddress filter to include 127.0.0.1 to capture this test). Security Event 4624 (logon) for the SMB session establishment. Sysmon Event ID 3 for the network connection on port 445 from cmd.exe.
- Test 4Anonymous Pipe Process Output Capture (OilBooster/ROADSWEEP Pattern)
Expected signal: Sysmon Event ID 1 (Process Create): Parent Image=powershell.exe, Child Image=whoami.exe, ParentCommandLine contains 'RedirectStandardOutput'. Security Event 4688 (if command line auditing enabled) for whoami.exe creation with parent PID of the PowerShell process. Note: anonymous pipes do NOT generate Sysmon Event ID 17 — they are transient kernel objects with no name.
- Test 5Unix Domain Socket Listener (Linux IPC Abuse Simulation)
Expected signal: Linux auditd (if configured with AF_UNIX socket rules): SYSCALL record for socket() with a0=1 (AF_UNIX), SYSCALL record for bind() with the socket path, SYSCALL record for listen(). Syslog/EDR process creation event for python3 with the IPC-related command arguments. File creation event for /tmp/argus_uds_test.sock. Check with: 'lsof /tmp/argus_uds_test.sock' or 'ss -xln | grep argus' while the script is running.
References (13)
- https://attack.mitre.org/techniques/T1559/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes
- https://learn.microsoft.com/en-us/windows/win32/ipc/anonymous-pipes
- https://learn.microsoft.com/en-us/azure/sentinel/audit-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/named-pipes.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md
- https://www.cybereason.com/blog/research/stealbit-exfiltration-tool
- https://www.mandiant.com/media/17826
- https://www.accenture.com/us-en/blogs/cyber-defense/turla-hyperstack-carbon-snake
- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-financial-industries.html
- https://www.kaspersky.com/about/press-releases/2022_toddycat-is-knocking-on-your-door
Unlock Pro Content
Get the full detection package for T1559 including response playbook, investigation guide, and atomic red team tests.