Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.(Citation: ESET PipeMon May 2020)
ID: S0501
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 24 Aug 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

PipeMon installer can use UAC bypass techniques to install the payload.(Citation: ESET PipeMon May 2020)

Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

PipeMon can attempt to gain administrative privileges using token impersonation.(Citation: ESET PipeMon May 2020)

.004 Access Token Manipulation: Parent PID Spoofing

PipeMon can use parent PID spoofing to elevate privileges.(Citation: ESET PipeMon May 2020)

Enterprise T1547 .012 Boot or Logon Autostart Execution: Print Processors

The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.(Citation: ESET PipeMon May 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.(Citation: ESET PipeMon May 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PipeMon communications are RC4 encrypted.(Citation: ESET PipeMon May 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.(Citation: ESET PipeMon May 2020)

Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

PipeMon has stored its encrypted payload in the Registry under `HKLM\SOFTWARE\Microsoft\Print\Components\`.(Citation: ESET PipeMon May 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

PipeMon modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PipeMon can inject its modules into various processes using reflective DLL loading.(Citation: ESET PipeMon May 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

PipeMon can check for the presence of ESET and Kaspersky security software.(Citation: ESET PipeMon May 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

PipeMon, its installer, and tools are signed with stolen code-signing certificates.(Citation: ESET PipeMon May 2020)

Groups That Use This Software

ID Name References
G0044 Winnti Group

(Citation: ESET PipeMon May 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.