T1559: Inter-Process Communication

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

T1559: Inter-Process Communication

View on MITRE ATT&CK The MITRE Corporation · Published 12/02/2020 15:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1559
Confidence: 100/100
Revoked: No
Published: 12/02/2020 15:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

T1559

Platforms

windows macos linux

Description

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Fireeye Hunting COM June 2019
mitre-attack (T1559)
Linux IPC

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (20)

ScamClub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NewsPenguin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tycoon Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sidewinder uses T-APT-04Rattlesnake

The MITRE Corporation Confidence 100

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RomCom uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework uses Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BladedFeline uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6691 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 20

PLASMAGRID uses

Family
VenomRAT uses

Family
Transparent Tribe uses
LunarWeb uses

Family
Uroburos uses
Xollam uses

Family
AndroRAT uses

Family The MITRE Corporation Confidence 100

[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ROADSWEEP uses

Family
Cobalt Strike uses

Family
RotaJakiro uses
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Win.Worm.Coinminer uses

← Previous

Page / 6

1–12 of 72

Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
New Yokai Side-loaded Backdoor Targets Thai Officials related

8 MITREs 1 Malware 20 Observables
Potential ZERO-DAY, Attackers Use Corrupted Files to Evade … related

9 MITREs 6 Observables
Infrastructure linking PandorahVNC and Mesh Central related

13 MITREs 5 Malwares 11 Observables 1 APT
Loki: a new private agent for the popular … related

8 MITREs 1 Malware 7 Observables
DarkCracks, an advanced malicious payload & upgrade framework … related

15 MITREs 2 Malwares 55 Observables
Campaign uses infostealers and clippers for financial gain related

16 MITREs 2 Malwares 68 Observables
Attackers Exploiting Public Cobalt Strike Profiles related

1 CVE 17 MITREs 1 Malware 6 Observables
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation … related

15 MITREs 3 Malwares 10 Observables 1 APT

Vulnerabilities (CVE) (24)

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2023-41974 KEV targets

7.8 High

Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.

Attack vector: LOCAL
Published: 10/01/2024
Modified: 15/03/2026

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2023-32434 KEV targets

7.8 High

Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.

Attack vector: Local
Published: 23/06/2023
Modified: 03/03/2026

CVE-2023-36584 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 16/11/2023
Modified: 27/05/2026

CVE-2023-32409 KEV targets

8.6 High

Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out …

Attack vector: Network
Published: 22/05/2023
Modified: 03/03/2026

CVE-2021-40444 KEV targets

Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 27/05/2026

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2024-23222 KEV targets

8.8 High

Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted …

Attack vector: Network
Complexity: LOW
Published: 23/01/2024
Modified: 04/04/2026

CWE-843

CVE-2020-27950 KEV targets

Apple iOS, iPadOS, macOS, and watchOS contain a memory initialization vulnerability that may allow a malicious application to disclose kernel memory.

Published: 03/11/2021
Modified: 03/03/2026

CVE-2024-23296 KEV targets

7.8 High

Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and …

Attack vector: Local
Complexity: LOW
Published: 05/03/2024
Modified: 04/04/2026

CWE-787

CVE-2023-38606 KEV targets

5.5 Medium

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.

Attack vector: Local
Published: 26/07/2023
Modified: 21/12/2025

← Previous

Page / 2

1–12 of 24

XPC Services subtechnique-of

MITRE
Component Object Model subtechnique-of

T1559.001 MITRE

Campaign (2)

3CX Supply Chain Attack uses
Operation MidnightEclipse uses

Course Of Action (5)

Behavior Prevention on Endpoint mitigates
Application Developer Guidance mitigates
Disable or Remove Feature or Program mitigates
Software Configuration mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use