Winnti Pipemon Characteristics

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.t1574.001 attack.g0044 detection.emerging-threats  ·
Share on: linkedin copy

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Sigma rule (View on GitHub)

 1title: Winnti Pipemon Characteristics
 2id: 73d70463-75c9-4258-92c6-17500fe972f2
 3status: stable
 4description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
 5references:
 6    - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
 7author: Florian Roth (Nextron Systems), oscd.community
 8date: 2020-07-30
 9modified: 2021-11-27
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.t1574.001
15    - attack.g0044
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_1:
22        CommandLine|contains: 'setup0.exe -p'
23    selection_2:
24        CommandLine|contains: 'setup.exe'
25        CommandLine|endswith:
26            - '-x:0'
27            - '-x:1'
28            - '-x:2'
29    condition: 1 of selection_*
30falsepositives:
31    - Legitimate setups that use similar flags
32level: critical

References

  • No “Game over” for the Winnti Group

    ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.


    Read More

Related rules

to-top