ID C0003
Objective(s) Communication
Related ATT&CK Techniques None
Version 2.0
Created 14 August 2020
Last Modified 13 September 2023
Interprocess Communication The Interprocess Communication micro-behavior focuses on interprocess communication.
Name
ID
Description
Connect Pipe C0003.002
Create Pipe C0003.001
Read Pipe C0003.003
Write Pipe C0003.004
Name
Date
Method
Description
Hupigon 2013
C0003.001
Hupigon creates two anonymous pipes. [1]
Hupigon 2013
C0003.004
Hupigon writes pipes. [1]
Poison Ivy 2005
C0003.004
Poison Ivy writes pipes. [1]
Tool: capa
Mapping
APIs
create mailslot Interprocess Communication (C0003)
kernel32.CreateMailslot, kernel32.GetMailslotInfo, kernel32.SetMailslotInfo
read from mailslot Interprocess Communication (C0003)
kernel32.GetMailslotInfo, kernel32.ReadFile, kernel32.ReadFileEx
create pipe Interprocess Communication::Create Pipe (C0003.001)
kernel32.CreatePipe, kernel32.CreateNamedPipe, System.IO.Pipes.AnonymousPipeClientStream::ctor, System.IO.Pipes.NamedPipeClientStream::ctor, System.IO.Pipes.AnonymousPipeServerStream::ctor, System.IO.Pipes.AnonymousPipeServerStreamAcl::Create, System.IO.Pipes.NamedPipeServerStream::ctor, System.IO.Pipes.NamedPipeServerStreamAcl::Create
create two anonymous pipes Interprocess Communication::Create Pipe (C0003.001)
write pipe Interprocess Communication::Write Pipe (C0003.004)
kernel32.WriteFile, kernel32.TransactNamedPipe, kernel32.CallNamedPipe
connect pipe Interprocess Communication::Connect Pipe (C0003.002)
kernel32.ConnectNamedPipe, kernel32.CallNamedPipe, System.IO.Pipes.NamedPipeClientStream::Connect, System.IO.Pipes.NamedPipeClientStream::ConnectAsync
read pipe Interprocess Communication::Read Pipe (C0003.003)
kernel32.PeekNamedPipe, kernel32.ReadFile, kernel32.TransactNamedPipe, kernel32.CallNamedPipe
[1] capa v4.0, analyzed at MITRE on 10/12/2022