Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Sigma rule (View on GitHub)
1title: Winnti Pipemon Characteristics
2id: 73d70463-75c9-4258-92c6-17500fe972f2
3status: stable
4description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
5references:
6 - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
7author: Florian Roth (Nextron Systems), oscd.community
8date: 2020/07/30
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1574.002
13 - attack.g0044
14 - detection.emerging_threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_1:
20 CommandLine|contains: 'setup0.exe -p'
21 selection_2:
22 CommandLine|contains: 'setup.exe'
23 CommandLine|endswith:
24 - '-x:0'
25 - '-x:1'
26 - '-x:2'
27 condition: 1 of selection_*
28falsepositives:
29 - Legitimate setups that use similar flags
30level: critical
References
-
ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.
Read More
Related rules
- Winnti Malware HK University Campaign
- APT27 - Emissary Panda Activity
- Potential PlugX Activity
- APT PRIVATELOG Image Load Pattern
- COLDSTEEL Persistence Service Creation