{"description": "Enterprise techniques used by PipeMon, ATT&CK software S0501 (v1.2)", "name": "PipeMon (S0501)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) installer can use UAC bypass techniques to install the payload.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can attempt to gain administrative privileges using token impersonation.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.004", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can use parent PID spoofing to elevate privileges.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.012", "comment": "The [PipeMon](https://attack.mitre.org/software/S0501) installer has modified the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors to install [PipeMon](https://attack.mitre.org/software/S0501) as a Print Processor.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can decrypt password-protected executables.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) communications are RC4 encrypted.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can switch to an alternate C2 domain when a particular date has been reached.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can install additional modules via C2 commands.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) has modified the Registry to store its encrypted payload.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[PipeMon](https://attack.mitre.org/software/S0501)'s first stage has been executed by a call to CreateProcess with the decryption password in an argument. [PipeMon](https://attack.mitre.org/software/S0501) has used a call to LoadLibrary to load its installer.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "The [PipeMon](https://attack.mitre.org/software/S0501) communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) has stored its encrypted payload in the Registry under `HKLM\\SOFTWARE\\Microsoft\\Print\\Components\\`.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can iterate over the running processes to find a suitable injection target.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can inject its modules into various processes using reflective DLL loading.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) has used call to LoadLibrary to load its installer. [PipeMon](https://attack.mitre.org/software/S0501) loads its modules using reflective loading or custom shellcode.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can check for the presence of ESET and Kaspersky security software.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[PipeMon](https://attack.mitre.org/software/S0501), its installer, and tools are signed with stolen code-signing certificates.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can collect and send OS version and computer name as a part of its C2 beacon.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[PipeMon](https://attack.mitre.org/software/S0501) can send time zone information from a compromised host to C2.(Citation: ESET PipeMon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PipeMon", "color": "#66b1ff"}]}