title: Winnti Pipemon Characteristics id: 73d70463-75c9-4258-92c6-17500fe972f2 status: experimental description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ tags: - attack.defense_evasion - attack.t1574.002 - attack.t1073 # an old one - attack.g0044 author: Florian Roth, oscd.community date: 2020/07/30 logsource: category: process_creation product: windows detection: selection1: CommandLine|contains: - 'setup0.exe -p' selection2: CommandLine|contains|all: - 'setup.exe' CommandLine|endswith: - '-x:0' - '-x:1' - '-x:2' condition: 1 of them falsepositives: - Legitimate setups that use similar flags level: critical