Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1358: Analytic 1358

Detects abuse of UNIX domain sockets, pipes, or message queues for unauthorized code execution. Correlates unexpected socket creation with suspicious binaries, abnormal shell pipelines, or injected processes establishing IPC channels.

EnterpriseAN1358AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on Linux abuse of inter-process communication mechanisms such as UNIX domain sockets, pipes, and message queues where they may be used to support unauthorized code execution. For leaders, the practical issue is visibility: these behaviors can occur inside normal-looking Linux activity, so SOC and IR teams need evidence that can distinguish legitimate application IPC from suspicious process, shell, or binary behavior.

Executive priority

Prioritize this where Linux systems support critical services, sensitive workloads, or regulated operations. The business decision is not simply whether an alert exists, but whether teams can prove they collect enough process and IPC-related telemetry to investigate unexpected socket creation, abnormal shell pipelines, and suspicious binaries. This supports incident readiness, audit evidence for monitoring coverage, and resilience planning for Linux-dependent services.

Technical view

For SOC and detection engineering, validate Linux telemetry that can correlate IPC activity with process context. The supplied analytic description highlights unexpected socket creation, suspicious binaries, abnormal shell pipelines, and injected processes establishing IPC channels. Detection should therefore focus on relationships between process execution, shell command patterns, binary reputation or location, and creation or use of UNIX domain sockets, pipes, or message queues. No ATT&CK tactic mapping or formal detection logic is supplied, so teams should tune against local baselines for legitimate service managers, databases, containers, middleware, and administrative scripts.

Likely telemetry

  • Linux process creation and command-line telemetry
  • Parent-child process relationships
  • Shell pipeline activity
  • UNIX domain socket creation or connection evidence
  • Pipe and message queue usage where available

Detection direction

  • Confirm whether endpoint or host telemetry exposes UNIX domain socket, pipe, and message queue activity with enough process context for correlation.
  • Baseline expected IPC behavior for major Linux services before treating socket or pipe creation as suspicious.
  • Tune for combinations of signals rather than IPC activity alone, such as unexpected socket creation plus unusual shell pipelines or suspicious binaries.
  • Review false positives from legitimate daemons, container runtimes, service supervisors, monitoring agents, and administrative automation.
  • Because no official detection logic is provided, document local assumptions, data sources, and test cases used to validate coverage.

Mitigation priorities

  • Improve Linux endpoint logging and retention for process execution, command lines, parent-child relationships, and IPC-relevant events.
  • Restrict and monitor execution from unusual paths and reduce unnecessary shell access on critical Linux systems.
  • Apply least privilege to service accounts and administrative users so IPC abuse has less opportunity to support unauthorized code execution.
  • Harden Linux workloads using standard system hardening, application isolation, and change-control practices appropriate to the environment.
  • Use incident response playbooks that include collection of process trees, open sockets, IPC artifacts, binaries, and recent shell activity.
Analyst notes and limits

This is a detection analytic object, not a technique object, and the supplied fields identify Linux as the only platform. The description provides useful behavioral anchors but no formal detection query, tactic mapping, related techniques, or relationship context. Treat it as a prompt to validate Linux host visibility and correlation quality rather than as a complete detection specification.

No official detection content, tactic, relationship context, aliases, labels, or external source detail beyond the MITRE ATT&CK reference was supplied. Environment-specific baselining is required to distinguish legitimate IPC-heavy applications from suspicious behavior. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1358

Detects abuse of UNIX domain sockets, pipes, or message queues for unauthorized code execution. Correlates unexpected socket creation with suspicious binaries, abnormal shell pipelines, or injected processes establishing IPC channels.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1c6d4279f4f24176...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1c6d4279f4f2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1358
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use