title: Inter-Process Communication (T1559)
id: df00tech-t1559
status: experimental
description: "Adversaries may abuse inter-process communication (IPC) mechanisms for local code execution, command-and-control channel establishment, or lateral movement. IPC mechanisms allow processes to share data, communicate, or synchronize execution. On Windows, adversaries commonly abuse named pipes to relay commands between C2 framework components (Havoc SMB demon, Cobalt Strike pipe-based beacons, Metasploit named pipe stagers), move data between kernel and user mode components (Uroburos/Snake malware), or pipe output from arbitrary commands to a controlling process (LunarWeb, ROADSWEEP, OilBooster). The IPC$ administrative share provides a network-accessible path for named pipe connections, enabling cross-host pipe-based C2 (HyperStack, Cobalt Strike lateral movement). On Linux and macOS, adversaries leverage Unix domain sockets (PITSTOP), shared memory segments via shmget (RotaJakiro), and anonymous pipes for inter-process communication. Medusa Ransomware and Cyclops Blink use the CreatePipe API to coordinate parallel operations. Raspberry Robin embeds a Tor client that communicates with its main payload via shared process memory. Detection focuses on named pipe creation by high-risk processes, non-standard pipe names matching known C2 framework patterns, and unusual network-based IPC$ share access."
references:
  - https://attack.mitre.org/techniques/T1559/
  - https://df00tech.com/detections/T1559
author: df00tech
date: 2026/04/21
tags:
  - attack.t1559
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate administrative tools using IPC$ for remote management — PsExec, SC.exe, remote registry operations, and WMI will access standard pipes like svcctl and winreg over IPC$"
  - "Backup and monitoring agents (Veeam, Zabbix, SolarWinds) that use named pipes for inter-process coordination or query Windows services via SMB"
  - "Software deployment systems (SCCM, Intune) connecting to IPC$ shares on managed endpoints for policy application and software push installations"
  - "Database services (SQL Server) using named pipes as an alternative client connection transport, especially in environments with pipe-based connection strings"
  - "IT automation platforms (Ansible WinRM, Chef, Puppet) that use SMB and named pipes for remote configuration management on Windows targets"
  - EDR and AV products that use named pipes for kernel-user communication may generate pipe creation events from svchost.exe or their own service processes
level: high