Ctrl+K

T1559 - Inter-Process Communication

T1559 - Inter-Process Communication#

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)

Atomic Tests#

Atomic Test #1 - Cobalt Strike Artifact Kit pipe#

Uses the Named Pipes Micro Emulation executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.

The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Named pipe executors must exist on disk#
Check Prereq Commands:#
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"


Invoke-AtomicTest T1559 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with command_prompt#

"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 1

Invoke-AtomicTest T1559 -TestNumbers 1

Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe#

Uses the Named Pipes Micro Emulation executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.

The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Named pipe executors must exist on disk#
Check Prereq Commands:#
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"


Invoke-AtomicTest T1559 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with command_prompt#

"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 2

Invoke-AtomicTest T1559 -TestNumbers 2

Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe#

Uses the Named Pipes Micro Emulation executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.

The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Named pipe executors must exist on disk#
Check Prereq Commands:#
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"


Invoke-AtomicTest T1559 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with command_prompt#

"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 3

Invoke-AtomicTest T1559 -TestNumbers 3

Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)#

Uses the Named Pipes Micro Emulation executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.

The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Named pipe executors must exist on disk#
Check Prereq Commands:#
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"


Invoke-AtomicTest T1559 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with command_prompt#

"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 4

Invoke-AtomicTest T1559 -TestNumbers 4

Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)#

Uses the Named Pipes Micro Emulation executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.

The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Named pipe executors must exist on disk#
Check Prereq Commands:#
if ((Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe") -and (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_client.exe") -and ("Test-Path PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_server.exe")) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\..\ExternalPayloads"


Invoke-AtomicTest T1559 -TestNumbers 5 -GetPreReqs

Attack Commands: Run with command_prompt#

"PathToAtomicsFolder\..\ExternalPayloads\build\namedpipes_executor.exe" --pipe 5

Invoke-AtomicTest T1559 -TestNumbers 5

Detection#

Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.

Shield Active Defense#

Software Manipulation#

Make changes to a system’s software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.

Opportunity#

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case#

A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.

Procedures#

Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.

Contents