ioc[.]one - OSINT Cyber Threat Intelligence Database

Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor — Elastic Security Labs

Tags

cmtmf-attack-pattern:	Application Layer Protocol Obfuscated Files Or Information Process Injection
country:	U.S. Virgin Islands
attack-pattern:	Data Application Layer Protocol - T1437 Create Or Modify System Process - T1543 Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 File And Directory Discovery - T1420 Gather Victim Network Information - T1590 Inter-Process Communication - T1559 Internal Proxy - T1090.001 Lateral Tool Transfer - T1570 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 Native Api - T1575 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Thread Execution Hijacking - T1055.003 Token Impersonation/Theft - T1134.001 Windows Service - T1543.003 Standard Application Layer Protocol - T1071 Execution Through Api - T1106 File And Directory Discovery - T1083 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Process Injection - T1055

Show in Graph

Common Information

Type	Value
UUID	43f71a51-9ed9-4d0b-88ea-989004c4f527
Fingerprint	356fb73129b90c91
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 27, 2023, midnight
Added to db	Nov. 20, 2023, 1:02 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor
Title	Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor — Elastic Security Labs
Detected Hints/Tags/Attributes	85/3/19

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/security-labs/twice-around-the-dance-floor-with-pipedance

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	306	✔	Elastic Security Labs	https://www.elastic.co/security-labs/rss/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	94		bing.com
Details	Domain	55		process.name
Details	Domain	2		endpoint.events.network
Details	Domain	1		exl.officeappsreviews.com
Details	File	8		dbgview.exe
Details	File	18		makecab.exe
Details	File	10		typeperf.exe
Details	File	4		openfiles.exe
Details	File	38		x64.dll
Details	File	2125		cmd.exe
Details	File	212		winlogon.exe
Details	File	11		w32tm.exe
Details	File	6		bootcfg.exe
Details	File	4		diskperf.exe
Details	File	25		esentutl.exe
Details	File	25		event.dat
Details	sha256	1		9d3f739e35182992f1e3ade48b8999fb3a5049f48c14db20e38ee63eddc5a1e7
Details	sha256	1		805a4250ec1f6b99f1d5955283c05cd491e1aa378444a782f7bd7aaf6e1e6ce7
Details	Yara rule	1		rule Windows_Trojan_PipeDance { meta: author = "Elastic Security" creation_date = "2023-02-02" last_modified = "2023-02-02" os = "Windows" arch = "x86" category_type = "Trojan" family = "PipeDance" threat_name = "Windows.Trojan.PipeDance" license = "Elastic License v2" strings: $str1 = "%-5d %-30s %-4s %-7d %s" wide fullword $str2 = "PID Name Arch Session User" wide fullword $str3 = "%s %7.2f B" wide fullword $str4 = "\\\\.\\pipe\\%s.%d" ascii fullword $seq_rc4 = { 8D 46 ?? 0F B6 F0 8A 14 3E 0F B6 C2 03 C1 0F B6 C8 89 4D ?? 8A 04 0F 88 04 3E 88 14 0F 0F B6 0C 3E 0F B6 C2 03 C8 0F B6 C1 8B 4D ?? 8A 04 38 30 04 0B 43 8B 4D ?? 3B 5D ?? 72 ?? } $seq_srv_resp = { 8B CE 50 6A 04 5A E8 ?? ?? ?? ?? B8 00 04 00 00 8D 4E ?? 50 53 8B D0 E8 ?? ?? ?? ?? B8 08 02 00 00 8D 8E ?? ?? ?? ?? 50 57 8B D0 E8 ?? ?? ?? ?? } $seq_cmd_dispatch = { 83 FE 29 0F 87 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 FE 06 0F 87 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B C6 33 D2 2B C2 0F 84 ?? ?? ?? ?? 83 E8 01 } $seq_icmp = { 59 6A 61 5E 89 45 ?? 8B D0 89 5D ?? 2B F0 8D 04 16 8D 4B ?? 88 0A 83 F8 77 7E ?? 80 E9 17 88 0A 43 42 83 FB 20 } condition: 4 of ($str) or 2 of ($seq) }