|Abuse Elevation Control Mechanism
|Bypass User Account Control
|PipeMon installer can use UAC bypass techniques to install the payload.
|Access Token Manipulation
|Create Process with Token
|PipeMon can attempt to gain administrative privileges using token impersonation.
|Parent PID Spoofing
|PipeMon can use parent PID spoofing to elevate privileges.
|Boot or Logon Autostart Execution
|The PipeMon installer has modified the Registry key
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.
|Create or Modify System Process
|PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.
|Deobfuscate/Decode Files or Information
|PipeMon can decrypt password-protected executables.
|PipeMon communications are RC4 encrypted.
|PipeMon can switch to an alternate C2 domain when a particular date has been reached.
|Ingress Tool Transfer
|PipeMon can install additional modules via C2 commands.
|Match Legitimate Name or Location
|PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.
|PipeMon has modified the Registry to store its encrypted payload.
|PipeMon‘s first stage has been executed by a call to
CreateProcess with the decryption password in an argument. PipeMon has used a call to
LoadLibrary to load its installer.
|Non-Application Layer Protocol
|The PipeMon communication module can use a custom protocol based on TLS over TCP.
|Obfuscated Files or Information
|PipeMon modules are stored encrypted on disk.
|PipeMon has stored its encrypted payload in the Registry under
|PipeMon can iterate over the running processes to find a suitable injection target.
|Dynamic-link Library Injection
|PipeMon can inject its modules into various processes using reflective DLL loading.
|PipeMon has used call to
LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.
|Security Software Discovery
|PipeMon can check for the presence of ESET and Kaspersky security software.
|Subvert Trust Controls
|PipeMon, its installer, and tools are signed with stolen code-signing certificates.
|System Information Discovery
|PipeMon can collect and send OS version and computer name as a part of its C2 beacon.
|System Network Configuration Discovery
|PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.
|System Time Discovery
|PipeMon can send time zone information from a compromised host to C2.