- Daniel Stepanic (@DanielStepanic)
- Cyril François (@cyril_t_f)
This repository includes a Windows client application to send commands and work with the PIPEDANCE malware. PIPEDANCE is a named pipe malware that works in a point-to-point fashion with capabilities such as:
- Command execution
- Retrieve running processes
- Enumerate directories
- Perform process injection (thread-hijacking / Heaven's Gate)
- Perform connectivity checks (HTTP, ICMP, TCP, DNS)
- Terminate processes
- Windows OS (Tested with two different endpoints within same network. One endpoint will run the malware sample (PIPEDANCE) and one endpoint will run the PIPEDANCE client.)
- PIPEDANCE sample
Testing Advice
- Disable or configure the Windows firewall to allow communication over the network.
- Named pipes in this project are used for inter-process communication (IPC) within the local network. Ensure that the appropriate permissions/controls are configured between the machines.
- Ensure that the user accounts or service main accounts running the PIPEDANCE server/client have the necessary permissions to access and use the named pipes. This may involve configuring the appropriate security settings and permissions in Windows.
This project should NOT be used in a production environment. This is for testing and performing research that interacts directly with malware. Any activity related to this project should be conducted inside an isolated network.
Each PIPEDANCE sample comes with a hardcoded string that serves as the pipe name and RC4 key for encryption/decryption. For our testing, we used the existing hard-coded string found in our sample.
-
Compile the files included in this repository using the CMakeLists.txt file. This project will produce the PIPEDANCE client that will allow interaction with the PIPEDANCE malware on a separate machine.
-
On one endpoint (Endpoint A), run the provided PIPEDANCE malware sample from this link. Please note, this is malware found from a real campaign, do not execute in non-testing environment.
-
On second endpoint (Endpoint B) with the compiled client from Step 1, execute the program along with the target IP address or hostname of the machine running the PIPEDANCE malware (Endpoint A).
pipedance_client.exe 192.168.47.130 -
Follow the command prompts in order to use each function and their respective parameters. The table below consists of the different functions and their required parameters.
Below is the list of available commands in the PIPEDANCE client application.
| Command ID | Description | Arguments |
|---|---|---|
| 0 | Stop PIPEDANCE client | |
| 1 | Terminate process by PID | PID (ex. 9867) |
| 2 | Run shell command and print output | Command (ex. ipconfig) |
| 4 | List files in current working directory | |
| 6 | Write file to disk | Filename (full path), file content |
| 7 | Get current working directory | |
| 8 | Change current working directory | Folder path |
| 9 | List running processes | |
| 23 | Create random process with hijacked token from provided PID and inject shellcode (32bits) | PID (token hijack), shellcode |
| 24 | Create random process with hijacked token from provided PID and inject shellcode (64bits) | PID (token hijack), shellcode |
| 25 | Open process from provided PID and inject shellcode (32bits) | PID (thread hijack), shellcode |
| 26 | Open process from provided PID and inject shellcode (64bits) | PID (thread hijack), shellcode |
| 71 | HTTP connectivity check | Domain (ex. google.com) |
| 72 | DNS connectivity check with provided DNS server IP | DNS server IP |
| 73 | ICMP connectivity check | ICMP server IP |
| 74 | TCP connectivity check | IP, port |
| 75 | DNS connectivity check without DNS server | |
| 99 | Disconnect pipe / exit thread | |
| 100 | Terminate PIPEDANCE process / disconnect Pipe / exit thread |
- YARA - Windows.Trojan.PipeDance
- Suspicious Windows Service Execution
- NullSessionPipe Registry
- Potential Lateral Tool Transfer via SMB Share
Hunting Query:
process.name:("makecab.exe" or "typeperf.exe" or "w32tm.exe" or "bootcfg.exe" or "diskperf.exe" or "esentutl.exe") and event.dataset: endpoint.events.network
