Winnti Pipemon Characteristics

calendar Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.execution attack.stealth attack.t1574.001 attack.g0044 detection.emerging-threats  ·
Share on: linkedin copy

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Sigma rule (View on GitHub)

 1title: Winnti Pipemon Characteristics
 2id: 73d70463-75c9-4258-92c6-17500fe972f2
 3status: stable
 4description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
 5references:
 6    - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
 7author: Florian Roth (Nextron Systems), oscd.community
 8date: 2020-07-30
 9modified: 2021-11-27
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.stealth
15    - attack.t1574.001
16    - attack.g0044
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_1:
23        CommandLine|contains: 'setup0.exe -p'
24    selection_2:
25        CommandLine|contains: 'setup.exe'
26        CommandLine|endswith:
27            - '-x:0'
28            - '-x:1'
29            - '-x:2'
30    condition: 1 of selection_*
31falsepositives:
32    - Legitimate setups that use similar flags
33level: critical

References

  • No “Game over” for the Winnti Group

    ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.


    Read More

Related rules

to-top