title: Winnti Pipemon Characteristics
author: Florian Roth, oscd.community
date: 2020/07/30
description: Detects specific process characteristics of Winnti Pipemon malware reported
  by ESET
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*setup0.exe -p*'
  SELECTION_3:
    CommandLine: '*setup.exe*'
  SELECTION_4:
    CommandLine:
    - '*-x:0'
    - '*-x:1'
    - '*-x:2'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
falsepositives:
- Legitimate setups that use similar flags
id: 73d70463-75c9-4258-92c6-17500fe972f2
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
status: experimental
tags:
- attack.defense_evasion
- attack.t1574.002
- attack.t1073
- attack.g0044
ruletype: SIGMA