PipeMon
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
PipeMon installer can use UAC bypass techniques to install the payload.(Citation: ESET PipeMon May 2020) |
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
PipeMon can attempt to gain administrative privileges using token impersonation.(Citation: ESET PipeMon May 2020) |
.004 | Access Token Manipulation: Parent PID Spoofing |
PipeMon can use parent PID spoofing to elevate privileges.(Citation: ESET PipeMon May 2020) |
||
Enterprise | T1547 | .012 | Boot or Logon Autostart Execution: Print Processors |
The PipeMon installer has modified the Registry key |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.(Citation: ESET PipeMon May 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
PipeMon communications are RC4 encrypted.(Citation: ESET PipeMon May 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.(Citation: ESET PipeMon May 2020) |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
PipeMon has stored its encrypted payload in the Registry under `HKLM\SOFTWARE\Microsoft\Print\Components\`.(Citation: ESET PipeMon May 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
PipeMon modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
PipeMon can inject its modules into various processes using reflective DLL loading.(Citation: ESET PipeMon May 2020) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
PipeMon can check for the presence of ESET and Kaspersky security software.(Citation: ESET PipeMon May 2020) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
PipeMon, its installer, and tools are signed with stolen code-signing certificates.(Citation: ESET PipeMon May 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0044 | Winnti Group |
(Citation: ESET PipeMon May 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.