| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
PipeMon installer can use UAC bypass techniques to install the payload. |
| enterprise |
T1134 |
Access Token Manipulation |
- |
| enterprise |
T1134.002 |
Create Process with Token |
PipeMon can attempt to gain administrative privileges using token impersonation. |
| enterprise |
T1134.004 |
Parent PID Spoofing |
PipeMon can use parent PID spoofing to elevate privileges. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.012 |
Print Processors |
The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
PipeMon can decrypt password-protected executables. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
PipeMon communications are RC4 encrypted. |
| enterprise |
T1008 |
Fallback Channels |
PipeMon can switch to an alternate C2 domain when a particular date has been reached. |
| enterprise |
T1105 |
Ingress Tool Transfer |
PipeMon can install additional modules via C2 commands. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor. |
| enterprise |
T1112 |
Modify Registry |
PipeMon has modified the Registry to store its encrypted payload. |
| enterprise |
T1106 |
Native API |
PipeMon‘s first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
The PipeMon communication module can use a custom protocol based on TLS over TCP. |
| enterprise |
T1027 |
Obfuscated Files or Information |
PipeMon modules are stored encrypted on disk. |
| enterprise |
T1027.011 |
Fileless Storage |
PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\. |
| enterprise |
T1057 |
Process Discovery |
PipeMon can iterate over the running processes to find a suitable injection target. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
PipeMon can inject its modules into various processes using reflective DLL loading. |
| enterprise |
T1129 |
Shared Modules |
PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
PipeMon can check for the presence of ESET and Kaspersky security software. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
PipeMon, its installer, and tools are signed with stolen code-signing certificates. |
| enterprise |
T1082 |
System Information Discovery |
PipeMon can collect and send OS version and computer name as a part of its C2 beacon. |
| enterprise |
T1016 |
System Network Configuration Discovery |
PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon. |
| enterprise |
T1124 |
System Time Discovery |
PipeMon can send time zone information from a compromised host to C2. |