Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0208: Pasam

Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. [1] [2]

EnterpriseS0208MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Pasam is a Windows trojan described by ATT&CK as opening a backdoor on compromised hosts and associated through ATT&CK relationships with Elderwood. Its mapped behaviors matter because they combine persistence, discovery, local data collection, tool transfer, and cleanup. For leaders, this is less about one malware name and more about whether Windows endpoint, network, and incident response controls can prove what a backdoored host did after compromise.

Executive priority

Prioritize Pasam as a validation case for post-compromise resilience: can the organization detect unauthorized persistence involving LSASS-related components, identify discovery and local data access, see inbound tool transfer, and preserve evidence when files are deleted? This supports incident decision-making, audit evidence for endpoint monitoring, and risk conversations around high-value Windows systems that could be used for espionage or follow-on activity.

Technical view

ATT&CK provides no official detection text and no tactics for the malware object itself, so defenders should validate coverage through the related techniques: Data from Local System, Process Discovery, File Deletion, System Information Discovery, File and Directory Discovery, Ingress Tool Transfer, LSASS Driver persistence, and Local Storage Discovery. Focus on Windows hosts, because that is the supplied platform for Pasam, while noting that several related techniques have broader ATT&CK platform coverage. SOC and IR teams should correlate endpoint process/file activity, LSASS-related persistence changes, external network transfer activity, and deletion events into a post-compromise storyline rather than treating each behavior as an isolated alert.

Likely telemetry

  • Windows endpoint detection and response events for process execution and parent-child process relationships
  • Command-line and script execution logs where available
  • File creation, modification, enumeration, access, and deletion events on Windows hosts
  • Driver, service, and LSASS/LSA-related configuration change telemetry relevant to persistence
  • Network connection, proxy, firewall, and DNS telemetry for backdoor communications or tool transfer indications

Detection direction

  • Because ATT&CK does not provide a Pasam-specific detection, validate behavior-based analytics against the mapped techniques rather than relying only on malware signatures.
  • Tune discovery detections to distinguish normal administration and software inventory activity from unusual process, system, file, directory, and local storage enumeration on sensitive Windows systems.
  • Correlate possible ingress tool transfer with new files, subsequent execution, outbound connections, and cleanup/deletion events.
  • Review monitoring for LSASS Driver-related persistence, with attention to unauthorized changes to security subsystem components or related configuration paths.
  • Account for false positives from legitimate administrators, endpoint management tools, backup software, and vulnerability scanners that may enumerate systems or files at scale.

Mitigation priorities

  • Start with visibility: confirm Windows endpoint, process, file, network, and persistence-change telemetry is collected and retained for critical systems.
  • Harden persistence surfaces by restricting administrative rights and monitoring changes to LSASS/LSA-related components and drivers.
  • Use network egress controls and proxy/DNS logging to limit and investigate unexpected external communications from endpoints.
  • Apply least privilege and access controls to reduce exposure of sensitive local data available to a compromised host.
  • Prepare IR playbooks for backdoor malware that include host isolation, evidence preservation, review of transferred tools, and scoping of discovery and data access activity.
Analyst notes and limits

ATT&CK identifies Pasam as a trojan used by Elderwood to open a backdoor on compromised hosts. The relationship context maps it to discovery, collection, command-and-control, stealth, persistence, and privilege-escalation techniques, which makes it useful as a defensive coverage model even when Pasam-specific indicators are unavailable or dated.

The supplied ATT&CK object has no official detection text, no listed tactics, no aliases, and only Windows as the malware platform. Related techniques include broader platform lists, but those should not be interpreted as Pasam platform support. Local environment telemetry, baselines, and current threat intelligence are required before drawing conclusions about exposure or detection coverage.

Official MITRE ATT&CK definition

Pasam

Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1057 Process Discovery

Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.CitationSymantec Pasam May 2012
Enterprise T1680 Local Storage Discovery

Pasam creates a backdoor through which remote attackers can retrieve information like free disk space.CitationSymantec Pasam May 2012
Enterprise T1105 Ingress Tool Transfer

Pasam creates a backdoor through which remote attackers can upload files.CitationSymantec Pasam May 2012
Enterprise T1083 File and Directory Discovery

Pasam creates a backdoor through which remote attackers can retrieve lists of files.CitationSymantec Pasam May 2012
Enterprise T1547.008 LSASS Driver Sub-technique

Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk.CitationSymantec Pasam May 2012
Enterprise T1082 System Information Discovery

Pasam creates a backdoor through which remote attackers can retrieve information like hostname.CitationSymantec Pasam May 2012
Enterprise T1070.004 File Deletion Sub-technique

Pasam creates a backdoor through which remote attackers can delete files.CitationSymantec Pasam May 2012
Enterprise T1005 Data from Local System

Pasam creates a backdoor through which remote attackers can retrieve files.CitationSymantec Pasam May 2012
Associated objects

Groups, software, and campaigns

Group Enterprise

G0066: Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

Relationship explorer

All related ATT&CK context

uses · Technique T1057: Process Discovery Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1547.008: LSASS Driver Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Group G0066: Elderwood Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
aab22d9b86a1527a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle aab22d9b86a1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Elderwood Sept 2012

    O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Symantec Pasam May 2012

    Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.

    Open source URL
  3. [3]
    Pasam

    (Citation: Symantec Pasam May 2012)

  4. [4]
    mitre-attack S0208
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use