Skip to content

S0501 PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.1

Item Value
ID S0501
Associated Names
Version 1.1
Created 24 August 2020
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control PipeMon installer can use UAC bypass techniques to install the payload.1
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token PipeMon can attempt to gain administrative privileges using token impersonation.1
enterprise T1134.004 Parent PID Spoofing PipeMon can use parent PID spoofing to elevate privileges.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.012 Print Processors The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.1
enterprise T1140 Deobfuscate/Decode Files or Information PipeMon can decrypt password-protected executables.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography PipeMon communications are RC4 encrypted.1
enterprise T1008 Fallback Channels PipeMon can switch to an alternate C2 domain when a particular date has been reached.1
enterprise T1105 Ingress Tool Transfer PipeMon can install additional modules via C2 commands.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.1
enterprise T1112 Modify Registry PipeMon has modified the Registry to store its encrypted payload.1
enterprise T1106 Native API PipeMon‘s first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.1
enterprise T1095 Non-Application Layer Protocol The PipeMon communication module can use a custom protocol based on TLS over TCP.1
enterprise T1027 Obfuscated Files or Information PipeMon modules are stored encrypted on disk.1
enterprise T1027.011 Fileless Storage PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\.1
enterprise T1057 Process Discovery PipeMon can iterate over the running processes to find a suitable injection target.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection PipeMon can inject its modules into various processes using reflective DLL loading.1
enterprise T1129 Shared Modules PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery PipeMon can check for the presence of ESET and Kaspersky security software.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing PipeMon, its installer, and tools are signed with stolen code-signing certificates.1
enterprise T1082 System Information Discovery PipeMon can collect and send OS version and computer name as a part of its C2 beacon.1
enterprise T1016 System Network Configuration Discovery PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.1
enterprise T1124 System Time Discovery PipeMon can send time zone information from a compromised host to C2.1

Groups That Use This Software

ID Name References
G0044 Winnti Group 1